XFINITY Mobile App Leaking Username/Password?

We recently told you about the XFINITY Mobile app for Android. An app that lets you do a whole bunch of stuff, but most people are likely interested in its DVR control and its (lackluster) video streaming capabilities.

The app lets you talk to your configured DVRs, check voicemail and email, and even has some address book functionality. To do this the app has to know your XFINITY username and password. Unfortunately, the app stores your credentials in your Android’s system log.

Additionally, the [email protected] and YOURPASSWORD fields appear on a line that starts with “D/HTTPManager“, implying this may be sent in clear-text via HTTP, which would make your login available to anyone with a packet sniffer between you and Comcast/XFINITY’s servers. It’s unknown whether or not this is the case. Whether or not it is being sent across the web doesn’t change the fact that the logs are accessible to anyone with physical access to your device, and may be included in data that can be send in a forceclose report.

The Android Market states that an update is coming soon, but doesn’t indicate that this security issue is known or has been addressed in the upcoming release of the app. We hope that this security hole is patched up sooner than later!

Source: XDA-Developers

Share This Post

Watch the Latest Pocketnow Videos

About The Author
Joe Levi
Joe graduated from Weber State University with two degrees in Information Systems and Technologies. He has carried mobile devices with him for more than a decade, including Apple's Newton, Microsoft's Handheld and Palm Sized PCs, and is Pocketnow's "Android Guy". By day you'll find Joe coding web pages, tweaking for SEO, and leveraging social media to spread the word. By night you'll probably find him writing technology and "prepping" articles, as well as shooting video. Read more about Joe Levi here.