Android Instapaper users at risk of man-in-the-middle attacks

Graham Cluley

InstapaperInstapaper is a great little smartphone app, useful for saving any interesting articles you stumble across while browsing the web for perusing later at your convenience in an easy-to-read format.

But, say security researchers at Bitdefender, the Android version of Instapaper has a vulnerability that could allow hackers to snoop upon your account’s username and password.

According to a Bitdefender blog post, Instapaper is vulnerable to a “man-in-middle” attack if you try to log into your account via a WiFi network that is being monitored by malicious hackers.

Password exposed

The problem is that although Instapaper handles the entire communication via HTTPS, it performs no validation of the certificate for the server it is communicating with. Which means that an attacker could use their own self-signed certificate and start “communicating” with the victim’s app.

Although you may not (or perhaps you do) care that much about an unauthorised party seeing which articles you are storing in your Instapaper account, the problem gets even more serious when you consider that many users are likely to be using the same password for many other other online accounts.

Bitdefender says it informed the developers of the Instapaper app of the problem, who have tweeted back that it is fixed in the latest version available from the Google Play store.

For a long time I have felt that the biggest security problem facing smartphone users are the apps that they run on their devices. Too many apps, amongst them some of the world’s most popular apps, are doing a poor job of securing their users’ information.

Further reading:

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “Android Instapaper users at risk of man-in-the-middle attacks”

  1. Graham, there's a typo in your article: "HTTTPS" (too many t's).

    I wish more mobile apps (and browsers) would implement certificate pinning; it would make the internet a safer place and reduce very many MiTM attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES