Palringo has severe security issues

Many iPhone users are happy that there is finally an instant messaging client that claims to support all the important services like ICQ, MSN, Gtalk, Yahoo-Chat and so on. So was I, and happily installed Palringo today. But after a short while the happiness was gone. It was already suspicious from the beginning that you have to register an account with Palringo before being able to use it. After a short investigation I knew why.

In fact the Palringo client on the iPhone does not support any of the aforementioned services. All the client is doing is setting up a connection to a server (echo.palringo.com:38535), which then connects to the different services you want to use. This implies several security issues.

First, this means that Palringo is storing all your passwords of the different IM services you are using, and this is dangerous. For many services, like Google or MSN, these passwords are not only used for the chat system, but might also be used for your personal email account or even credit card payments! Are you sure you wanna share that with some random company? Beside that they can read all of your communication. (At least if you don’t use end-to-end encryption.)

But this is not the whole story. What really bothers me is that this connection from the iPhone to the Palringo server is completely unencrypted and plain text! Since the iPhone exclusively uses wireless technologies this is particularly severe. It means that everybody in your vicinity can very very easily intercept all of your communication and all your passwords as well. Remember, the same passwords might be used for your personal email or credit card payments. You don’t want that. 

So please do yourself a favor and don’t use Palringo! (At least not the current version.)