Home > Hardware, Mobile Phone, Privacy, Quidco > Quidco App for Android Logs Username, Password, IMEI and Card Details Without Encryption

Quidco App for Android Logs Username, Password, IMEI and Card Details Without Encryption

Quidco App for Android v1.0.4 – Still Just A Beta Test

I installed the Quidco app for Android from the Market a few days back, and I thought it would be nice to do a review.
However, after a bit of poking around I found a log file – Qlog.txt – with my Quidco username and password stored plain-text.

Quidco Username & Password

A quick check revealed also the app was logging my quidco userID and my phones IMEI number.
The IMEI is unique to every handset, and doesn’t necessarily relate to any individual, the SIM does that through the IMSI.

Anyway, the quidco app gets your IMEI through the READ_PHONE_STATE permission, which is requested on installation. It is shown below as Read Phone Status and ID.

Quidco App Permissions

Store Card

The app gives you the opportunity to register a credit card, for earning in-store cash back.
I read through the terms and conditions first, to see what safe guards are in place to protect my data.

T&C Section 2

Great! My card details are only stored and processed in encrypted format..

Screen grab was made after bug found, to illustrate the problem, but log file is exact except redactions.

My Card 8888..

Logged Un-Encrypted

Data Protection Fail.
Please note, the screen grab of card number was made after the bug was found, to better illustrate the problem, but the log file is exact except redaction.

Further Development

This fault has been reported to Quidco, un-installing the app does not delete the log file.
My handset has root privileges, you may be able to view or delete you own log file without root.

Update; the Quidco response to this issue is

..that the android version of the Quidco app is only a test version and this is not meant for use at the moment.

We have not launched the android version of the app so any personal use of this is completely at your discretion as we are currently running our own tests on this to ensure everything is ready before our official release.

If you have any worries or concerns, contact the app developer or read the Information Commissioners Office guides;

Disclosure of personal information
If your personal information has been disclosed in a way that you did not expect you can complain to us.

http://www.ico.gov.uk/complaints/data_protection/supporting_evidence.aspx#disclosure

Security or loss of personal information
If your personal information has been lost or is not held securely you can complain to us.

http://www.ico.gov.uk/complaints/data_protection/supporting_evidence.aspx#security

I’m sure it’s possible a malicious program could be written to extract these details from your log, and gain full access your quidco.com account.
You do use a different username and password for all sites, don’t you?

Advertisements
  1. August 24, 2011 at 9:05 am

    The beta test version of the Quidco Android app stored member details in plain text for debugging purposes only. We have now released an update for the app which deletes the Qlog.txt file that was created in the past and no longer stores this information. We’d also like to assure members that all credit and debit card details entered via the app are sent to our servers and stored securely.

    • August 24, 2011 at 10:11 am

      Thanks for the open response, I believe yesterday you updated the beta to v1.0.5 to prevent the creation of debug logs.
      A new post for this fact is in creation, and will be uploaded tonight.

  2. Mark X
    November 17, 2011 at 3:49 am

    The best thing about this app is you can spoof your GPS location and earn money anywhere!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: