Many Android and Apple Apps allow brute force attacks

Pierluigi Paganini July 17, 2015

According to a recent research published by experts at the AppBugs firm many Android and Apple mobile apps allow brute force attacks.

Android and Apple devices are the most used worldwide, millions of mobile users every day use the apps available in their official stores, but what if the majority of these applications are vulnerable to brute force attack?

Researchers at AppBugs found 53 Android and Apple apps are affected by the password brute force issues. The list of flawed apps includes SoundCloud, ESPN, CNN, Expedia, and Walmart.

“Password brute force vulnerability in a web service allows an attacker to make unlimited login attempts to the web service in order to guess the correct password of a victim user. Even iCloud has been found to have had such a hole and it was rumored to be the cause of the massive celebrity hack happened in late 2014. AppBugs found 53 mobile apps (Android and iOS, approximately 600 million users impacted) have the password brute force issues in their web services and attackers can exploit the holes immediately to steal users passwords.” States the blog post published by AppBugs.

15 apps from the list failed to fix server-side problems after being given 30 days to fix the problem before disclosure.

The known apps Wunderlist, Dictionary, and Pocket implement new fixes, to prevent brute force sign in attempts after being inform about their apps problems.

AppBugs researchers citing the paper “The science of guessing: analyzing an anonymized corpus of 70 million passwords” explained that hackers could take between 30 minutes to a month to break into most accounts.

“Password brute force vulnerability in a web service allows an attacker to make unlimited login attempts to the web service in order to guess the correct password of a victim user,”

“Assuming the attacker makes login attempts to the vulnerable service 30 times per minute, it takes him half hour to 24 days to guess a password, depending on the strength of the target password.”

“Attackers have no problem launching the attacks from multiple IP addresses on multiple user accounts in parallel and often can make guesses more than 30 times per minute. If today the attacker launches such attack against most user accounts in parallel, he will be able to get most user passwords within 24 days.”

All the tested applications weren’t using two-factor authentication so there isn’t much that can be done from the user side to protect their data.

Enjoy the paper!

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – brute force, mobile Apps)

Android Apple brute force Hacking iOS mobile mobile apps two-factor authentication

Pierluigi Paganini July 27, 2025

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

Pierluigi Paganini July 27, 2025