Plain Vanilla, the developers behind QuizUp, has fixed the server side issues that caused data to be transmitted unprotected from the QuizUp servers. An update to the iPhone app should fix issues there. It appears that at least some of the major problems, including sensitive user data being transmitted unnecessarily, have been fixed.
The developer says that data is never sent to their servers as plain text, and is encrypted with SSL, and that the encyrption was weakend in some instances by a bug. While this is true, it was also not the problem. The issue was that the data was unhashed, meaning that while the SSL encryption kept out malicious third parties, the contents of the SSL traffic were readable by the sender and receiver. Since the data being sent is sensitive information about other users, this is a problem. If someone was to sniff the traffic to the app on their phone, they could see things like their opponent's Facebook tokens, which could make it possible to post as them. Thankfully, it seems like Facebook tokens are no longer transmitted between users.
Plain Vanilla also says that in reviewing QuizUp's security features, they discovered and fixed some minor errors. First, they claim that address book data was never stored on their servers, and was only used temporarily to help find friends. But address book content was sent to the servers unhashed, which will require an update to the QuizUp app to fix. Second, they say that a server error inadvertently sent a player's data to another player if they had modified the app to decrypt information. However, the app need not have been modified, as all a user needed to do to find this data was sniff the traffic coming to their phone. It does appear that Plain Vanilla has fixed this issue as well, as the data that gets transmitted no longer includes the user's gender, email address, or birthday, among other things.
The updated version of the QuizUp app is currently awaiting approval in the App Store and it's good to see Plain Vanilla taking these steps to improve security in their app.
Are you happy with the fixes being made to QuizUp? Will you keep playing? Let us know in the comments.
Special thanks to Nick Arnott
