Rate My Professors iOS App Stores Passwords Insecurely


The Rate My Professors iOS app has a security problem--it stores passwords without encryption on the phone.

I tested this app:

Insecure Storage

Storing passwords without encryption is unacceptable for any app, according to the OWASP https://github.com/OWASP/owasp-masvs, specifically, these items: The Mobile Top 10 2016-M4-Insecure Authentication explanation says:
"...mobile applications should never store a user’s password on the device; Ideally, mobile applications should utilize a device-specific authentication token..."
In 2018, the German chat platform Knuddels.de was fined €20,000 for storing user passwords in plain text.

Testing Method for Local Storage

I found this flaw using OWASP's recommended dynamic testing procedure:
The following steps can be used to determine how the application stores data locally on a jailbroken iOS device:
  1. Trigger the functionality that stores potentially sensitive data.
  2. Connect to the iOS device and navigate to its Bundle directory (this applies to iOS versions 8.0 and above): /var/mobile/Containers/Data/Application/$APP_ID/
  3. Execute grep with the data that you've stored, for example: grep -iRn "USERID".
  4. If the sensitive data is stored in plaintext, the app fails this test.
I used a jailbroken iPhone running iOS 12.4.4 with no passcode.

I created an account. As shown below, the password was stored on the iPhone.


I sent this message on 1-12-2020:

I got this reply on 1-13-2020. Clearly they don't care and won't be fixing it.

Posted 1-12-2020 by Sam Bowne
Updated with vendor response and more OWASP items added 1-13-2020