PayPal Fixes iPhone App Security Flaw

Internet payment provider PayPal this week raced out a fix for a security vulnerability in its iPhone application that could have potentially tricked users logging in through an unsecured Wi-Fi connection into sharing their passwords and account information.

PayPal officials were not immediately available to comment on the security risk, but according to a Wall Street Journal report, the eBay (NASDAQ: EBAY) unit rushed out a secure version of the app to Apple’s (NASDAQ: AAPL) App Store for users to download. It also said it would reimburse any users who lost funds as a result of the breach.

At this point, it’s unknown if or how many PayPal users were affected by the security flaw.

A company spokesperson told the Journal that the vulnerability would only have compromised users running the iPhone version of the app. Thus far, the flaw has not impacted users accessing the payment processing function through the Android mobile app or via the PayPal website.

The security hole underscores the security challenges facing mobile application developers, carriers and device manufacturers as more and more people use their smartphones and other mobile devices to conduct transactions and access bank accounts on the go.

In September, Cisco Systems (NASDAQ: CSCO) rolled out its AnyConnect Security Mobility software for enterprise clients running Apple’s iOS 4.1 mobile OS, giving IT administrators a dashboard to quickly revoke access for a lost or stolen iPhone.

But for consumers, the race is on to find effective mobile security options that protect them and their data from outside intrusions.

This particular security hole concerned PayPal’s iPhone app’s inability to verify the digital certificate created and verified by the company’s website. Without the electronic confirmation, according to the report, someone could have logged into a Wi-Fi hotspot in the general vicinity of a PayPal user and swiped usernames and passwords to their accounts.

Earlier this month, a security review on the AppleInsider website found that 68 percent of the top iPhone apps in the App Store transmitted an unencrypted unique device identifier that could reveal personal information.

Larry Barrett is a senior editor at, the news service of, the network for technology professionals.

To keep up-to-date on mobile security news, follow eSecurity Planet on Twitter @eSecurityP.

Larry Barrett
Larry Barrett
Larry Barrett is an eSecurity Planet contributor.

Top Products

Related articles