HP Finds Mobile Tax Apps Lacking On Security, Privacy

As the clock ticks toward midnight, putting an end to tax day 2014, Hewlett-Packard is warning consumers of mobile tax and finance apps that they may want to audit their own usage.

According to the HP Audit, more than 90 percent of the applications the company tested, including TurboTaxTaxACT and TaxSlayer, contained at least one potential privacy violation.

Those included accessing the phone’s address book, geo-location, storing sensitive data in clear-text, not setting cookie properties securely and insecurely transmitting data.

Another 50 percent of the applications use cryptographic methods that are known to have security weaknesses like md5 or SHA1. Other flaws included image caching from a Social Security number input screen, which could expose the information to malware installed on a device.

“The bottom line is that even with all the best intentions of providing fast tax filing assistance, mobile tax apps could put users at risk,” said Maria Bledsoe, Senior Manager of Product Marketing at HP. 

“Usually the mobile app interacts with a cloud service and typically you’d file your taxes on your PC,” Bledsoe said. “But all the software services for tax preparation have mobile app extensions so you can check on your refund, and get status updates on your account.”

Ultimately the applications are still accessing data from the account, and from a security standpoint, that mobile app is just as dangerous, said Bledsoe.

“A lot of companies are looking at mobile apps as a fancy user interface, and they’re putting their protection on the back-end behind their firewall,” she said. “But they’re not realizing yet that this is yet another attack vector and is an entry point for the hackers.”

Companies are responsible for the sensitive data they manage, but consumers need to be aware and actively control what information they give to application providers.

“We have the tendency these days of downloading any app under the sun because it’s cool and nice,” Bledsoe said. “This stuff is not just a fancy user interface. All your private data is sitting right there so you have to be pretty careful with what you’re putting on your phone… [For instance] if there’s no reason why this app has access to this address book, don’t let it.”

Photo via Flickr user Alan Cleaver