A number of mobile tax apps could be putting users’ personal information at risk of exposure to hackers, according to security researchers.
Appthority, a San Francisco-based mobile enterprise security company, found that some of the more common tax apps such as MyBlock from H&R Block exhibited risky behaviors, including not encrypting personally identifiable information, also known as PII, and sharing users’ location. Overall, Appthority found that Android apps exhibited more risky behaviors than their iOS counterparts.
Many of the apps also disclose file-paths to the source code, enabling hackers to target the app developer as a way to infiltrate the app rather than the user.
“Overall we looked at three different types of security concerns,” said Appthority president and co-founder Domingo Guerra. “One was security vulnerabilities—not following best practices, not doing things the way the security industry recommends for developers to build apps. Second was privacy-invasive behavior, which we’re starting to see more and more often in apps. When apps offer a service for free, it’s not really for free. The user’s data becomes the product. A lot of apps are collecting PII, personally identifiable information, and then selling that or sharing that with their partners. Third, we were looking for data exfiltration risks, which means when you send something that’s sensitive without properly protecting it, even if you’re sharing it between two trusted parties, an untrusted third party can intercept that data if it’s not properly secured. We were looking at those types of security concerns for almost 30 apps, both iOS and Android.”
In the higher-risk category were the Android version of H&R Block’s MyBlock app, along with the iOS version of another company’s app, TaxBot, and an Android app known as Calculator for U.S. Taxes.
“For MyBlock on Android it landed in the higher-risk [category] because it was sending the device ID and some PII without encryption,” said Guerra. “For iOS, MyBlock landed in the medium risk [category] because it was sharing the location of the user without encryption.”
H&R Block spokesman Gene King defended the app’s security. “H&R Block takes client privacy and data security very seriously,” he told Accounting Today. “We continually monitor and analyze our systems via third party and internal measures. While we did identify and address certain issues prior to and early in tax season, at no time do we believe personally identifiable information was at risk.”
Other apps landed in the low-risk and medium-risk categories, according to Appthority.
“Low risk is where we saw some of the apps maybe sharing more extra information than they should, mainly in their source code, so this doesn’t put the user data at risk, but it can put the developer’s information at risk,” said Guerra. “Here we found some names of apps where sometimes it was their own code, and sometimes it was a third-party library that they used in their app that was exposing source code. The risk there is that an attacker can learn how to defeat an app if they learn about how the app was built, so that’s why we really shouldn’t have information on the source code. Also the developer’s personal information, like their name and email, can be exposed as well to spammers or to hackers. Low risk is just exposing source code information in the app instead of deleting those notes when the app gets compiled.”
Apps in the low-risk category include the iOS version of Evernote, the iOS version of TurboTax, the iOS version of Expensify, the iOS version of Quick Tax References, the iOS version of MyBlock, the iOS version of the IRS’s own mobile app IRS2Go, the iOS version of MyTaxRefund, and the iOS version of TaxCaster.
“TurboTax landed under the low risk,” said Guerra. “It wasn’t their own source code that was exposed, but one of the App.net app libraries that used third-party code. That third-party developer source code was exposed.”
In the medium-risk category were the iOS version of MyBlock, the iOS version of Ask a CPA Tax Answers Free, and the Android version of the IRS’s IRS2Go app.
“In medium risk, it was a combination of behaviors, from accessing privacy invasive information and then not properly securing it,” said Guerra. “For example, some apps need your location if you’re trying to find the nearest H&R Block office. But that information, if it’s collected, should be encrypted because otherwise other apps or other third parties could know where you are at any moment. We saw a few apps that were sending location without encryption. Maybe it’s not a huge concern. That’s why we looked at it as a medium risk, but it’s still privacy invasive. We think the fact that Apple and Google make apps ask you for permission before tracking you means that information is valuable enough that it requires your permission. It should be protected, it should be encrypted.”
Appthority also looked at TaxAct Express and TaxSlayer’s mobile app, but those came back clean.
In general, apps from larger software companies had fewer security vulnerabilities than those that came from individuals.
“What I found is that these are big apps with big developer budgets, so they were generally safer than some of the lesser known apps to have access to our tax information,” said Guerra. “Some of my conclusions were that, although this was high risk, at least it wasn’t exposing a user’s tax return, which would have been catastrophic. When we think about the type of data that’s in it, it has your Social Security number and your date of birth, and a lot of that information that can be used to hijack your identity. From that perspective, all of these apps were relatively safe from a user’s perspective, but I would shy away from maybe some of the lesser known apps that are maybe not built by a corporation, but by an individual person that tries to pass it off as a tax app. And definitely stay away from third-party app stores that offer tax apps because those apps haven’t even been reviewed by Apple or Google.”
Security vulnerabilities in a tax app can be magnified, however, by hackers who are using other apps that are not tax apps.
“With Truecaller, if you have somebody’s device ID, you can look up all of their information, including their last location and information about what they have stored on their device,” said Guerra. “So if a tax app is leaking a UDID [unique device identifier], then a malicious person could use those UDIDs to find users’ information without other app vulnerabilities. That’s a little bit more of a sophisticated attack where you have multiple layers of an attack, but it raises the importance of encrypting all this traffic.”
Appthority only reviewed consumer tax software this year, but next year the company may take a look at tax apps for professional tax preparers.
“The tax preparer is maybe something that we’ll look at for next year’s tax apps,” said Guerra. “Because of the number of tax returns that a tax preparer handles, then it’s probably even more important to have proper security there.”
