Over the past few weeks, the iOS trivia app QuizUp has enjoyed a run close to the top of the App Store charts. The app, which pits user against user in a general knowledge quiz, has come under fire this week over perceived security weaknesses in the way it shares users' data. In a post titled "Our Responsibility as Developers," developer Kyle Richter highlights a number of flaws, many of which could expose both your and your friends' information to random users.
The problem, explains Richter, lies with QuizUp's matching system. Richter is (intentionally) a little vague about how and when information is transmitted, but it appears the app sends "full names, Facebook IDs, email addresses, pictures, genders, birthdays, and even location data" in plaintext over SSL. "I have been able to access the personal information of hundreds of people who I have never met," says Richter.
Mistakes were made
Richter attempted to highlight his concerns with QuizUp's developer, Plain Vanilla Games, before going public with the flaws, and both censors and withholds sensitive information in his blog post in an attempt to not put people at risk. Despite his attempts to resolve the situation, he says he received no reply prior to posting. Since Richter went public, Plain Vanilla Games has made a series of statements to TechCrunch, denying some of the claims, but ultimately accepting that mistakes were made, specifically in sending the contents of address books without first encrypting them. It says some server-side fixes have already been made, and other issues will be addressed by an app update once it's been approved by Apple.