Warren Buffett's Berkshire Hathaway accused of exposing sensitive user data through flaws in its Android app
- Warren Buffett's Berkshire Hathaway has been accused of exposing sensitive user data through flaws in its real estate app, Berkshire Hathaway HomeServices Home Search.
- Mobile security firm NowSecure identified the flaws, which left information including phone numbers and email addresses vulnerable to attack.
- Berkshire Hathaway told Business Insider that NowSecure tested an old version of the app and "critical vulnerabilities" have been fixed in the updated version.
- NowSecure investigated 250 mobile apps and found that those run by firms including American Airlines and Sears also contained flaws that exposed user data.
- Click here for more BI Prime stories.
Warren Buffett's Berkshire Hathaway has been accused of unwittingly exposing the personal information people using its real estate app.
Chicago-based mobile security firm NowSecure discovered vulnerabilities in the Berkshire Hathaway HomeServices Home Search app, as part of an investigation into the security of hundreds of apps on Google's Play Store.
The Home Search app has been downloaded more than 50,000 times through Play Store and allows users to browse real estate within the Berkshire Hathaway HomeServices network from across the US.
NowSecure told Business Insider that the app was found to "leak personal information in multiple ways," including failing to encrypt sensitive data. Information vulnerable to bad actors included usernames, phone numbers, email addresses, GPS locations, and Android IDs, NowSecure said.
It is not clear how many users had their data exposed and there is no suggestion from NowSecure that information fell into the wrong hands. It did not reveal the exact nature of the flaws because of concerns that the app could be targeted by hackers.
NowSecure said it carried out its responsible disclosure process with Berkshire Hathaway last month regarding the precise nature of the app's vulnerabilities. Although Berkshire Hathaway did not respond to NowSecure, it told Business Insider that any issues have now been resolved.
A spokeswoman said: "The mobile app that was tested was an outdated version. Any critical vulnerabilities were remediated in the current version."
Sears and American Airlines apps also accused of exposing user information
The Berkshire Hathaway app was one of 250 apps examined by NowSecure. As part of a report it is poised to publish next week, it examined the security of apps across five areas.
NowSecure said 92% of online retail apps, 82% of brick and mortar retail apps, 67% of travel apps, 48% of finance, and 69% insurance apps were found to "actively leak sensitive consumer data."
Besides Berkshire Hathaway, other major Android apps found to contain vulnerabilities included those from American Airlines and Sears.
NowSecure said the Sears app exposed emails, usernames, and device IDs. Usernames, device IDs, and location data were vulnerable through the American Airlines app, it added.
NowSecure said it has carried out responsible disclosure with both American Airlines and Sears regarding the exact nature of the vulnerabilities. It said that while American Airlines has since repaired its app's flaws, Sears did not respond to its disclosure.
Sears declined to comment. American Airlines is yet to respond to Business Insider's request for comment.
NowSecure 'shocked' at the findings of its investigation into Android apps
NowSecure's CEO, Alan Snyder, told Business Insider his company was "shocked" at the findings. He added that the report's goal is to spread awareness among consumers regarding app security.
"Our message to consumers is, first and foremost, to be mindful that many of these apps are in fact leaking your information," Snyder said. "If you don't need that app - if it's not critical to you - then don't leave it on your device, because it's probably giving out some of your information."
Snyder also said developers need to do more to prevent vulnerabilities.
"What we see is that a lot of developers have moved over to mobile from other platforms. So they're just not as familiar with mobile, and they're making very repetitive, common mistakes," he said.
"Quite frankly, web and mobile are just different. Developers are making mistakes on the assumption that mobile is going to work the same as what they were used to, and that's a terrible assumption."