Simple app shares SSL vulnerability with other banking sites, sends personal data on login (Updated)
Update: Good news for Simple customers, the company has already removed your SSN from its encrypted communications and is actively working on a fix to the SSL issue (but it will likely require an app update).
Just this past May, Simple Finance launched its iOS app -- also called Simple -- to help budget-minded iPhone users manage their spending. The app is rather powerful and, given that it has access to your various payment methods, it stores plenty of sensitive personal data including your bank account information. Unfortunately, Nick Arnott of Neglected Potential has discovered that the app doesn't do as much as it could to protect personal data.
After poking around the guts of the app, Arnott noted a troubling SSL security hole. The good news is that the app uses encryption to send your information back and forth to its servers, but the bad news is that it has no way of verifying it's speaking only to a verified server. In theory, a third party could be listening in and simply passing the data back and forth as though it were never there. This isn't particularly unusual, and Arnott even notes that most other online banking tools operate in the same manner.
But while a scenario in which a data thief harvests your information in this manner is unlikely, Arnott discovered an even more puzzling "feature" of the app. It seems that when you sign in to Simple on your iOS device, the data sent from Simple's servers back to your phone includes a host of personal information. Your name, email address, physical address, phone number and even your social security number are making their way from Simple's computers to your device each time you log in.
With these concerns in mind, Arnott attempted to alert Simple's support team in hopes that they would patch up the vulnerability or offer additional information. The response he received essentially says that Simple knows the issue exists, and it may be fixed down the road. If you're a Simple user, or simply want to know more about the app's security (or lack thereof), you can find more details on Neglected Potential.
