Avira's Mobile Security iOS App Exposes Credentials in Cleartext

Not open for further replies.


Community Manager
Thread author
Staff member
Oct 23, 2012
Even the big InfoSec guns make silly mistakes sometimes
David Coomber of Info-Sec.ca has discovered a vulnerability in Avira's Mobile Security iOS application. The security bug was disclosed to Avira, which has recently fixed it in an update.

Avira, the famous antivirus company that provides one of the best free antivirus engines for home users, also creates and markets a lot of other security-related tools.

One of these is its Avira Mobile Security iOS app, which according to the company's description, is an application which can help users that have lost their iPhone.

The application can show the phone's location on a map, can lock access to email accounts once the phone is lost, can make the phone emit loud sounds so it can be found, or it can allow a user to call his phone, from Avira's Web-based dashboard.

According to Mr. Coomber, in all versions starting with 1.5.7 and below, this application is transmitting login information using an unencrypted HTTP POST request.

Even worse, passwords were "insufficiently protected by the insecure MD5 algorithm".

Leveraging this design flaw attackers would be able to sniff network traffic, capture username and password data, and then compromise the user's Avira account without his knowledge.

By getting access to the Avira Mobile Security app's dashboard, an attacker could then easily pinpoint any victim's position by using the app's built-in "Locate Device" feature (if the victim was carrying his iPhone everywhere with him, and most people do).

The vulnerability was discovered on July 17 and was fixed by Avira's security team on September 3 with the release of version 1.5.11 of its iOS application.
Not open for further replies.