Skip to main content
Site Search
  1. Home
  2. Blog
  3. Jamf Threat Labs discovers apps that leak credentials

Jamf Threat Labs discovers apps that leak credentials

Two mobile apps available for download are leaking personally identifiable information. Jamf Threat Labs investigates.

September 17 2025 by

Jamf Threat Labs

Dark, moody illustration of a mobile phone with a broken lock on the screen and 0s and 1s coming out of the lock, representing lost user data

Author: Michal Rajčan

During Jamf Threat Labs continuous threat investigation we came across two apps leaking credentials and Personally Identifiable Information (PII). One is from a Malaysian healthcare management platform and the other is from an Indian jewelry company. In this blog, we take a deeper dive into the apps and the data they are leaking.

For both apps discussed below, we contacted the developer with a responsible disclosure to fix the mentioned leaks but have not received a reply. As part of our standard research process, we are releasing these findings publicly as the responsible disclosure timeframe has ended.

The risk of leaky apps

These apps leak data over unencrypted HTTP requests while users are trying to log in to their accounts. This means that requests with credentials in clear form (not obfuscated) are sent to the organizations’ servers unencrypted, exposing these data to all devices connected to the same network. This is especially risky in cases of users connecting to public networks.

Khazana Jewellery

Khazana Jewellery's app serves as a “savings” management app for purchasable goods from Khazana Jewellery. Users can send monthly payments to Khazana Jewellery, and after the purchase scheme completion, they can purchase jewelry or gold in value from the scheme savings.

Jamf Threat Labs found the iOS version of the app is leaking credentials. However, the Android version of the app is safe from this issue.

Log showing the Khazana app transmitting user data over HTTP in plain text

Example of a request leaking user credentials

There are several requests leaking data, and the following data is being leaked while users interact with the app:

  • User email

  • Password

  • Full name

  • Phone number

The app manages user payments and subscriber plans. If an attacker gets possession of the leaked credentials, they may log in to a compromised account and adjust it to their needs. This includes cancelling running subscriptions and causing unnecessary monetary harm in the form of cancellation fees.

The main risk of exposed credentials is access to the PII data stored in the app. When subscribing to a plan, a user needs to fill in personal details, and this data may be misused for an advanced phishing attack or identity theft on the user.

Extent of PII requested and stored in the app:

  • Full name

  • Phone number

  • Address

  • PAN number

  • ID number

Khazana app interface showing a form that includes user data, like their ID, address, name and more

Example of personal data contained in app. Source: Google Play store

MiCare HealthTech Holdings

The healthcare management company serves 15 million users, hence we believe that the potential vector for misuse is not trivial.

Even though the leaky app is of low popularity and potentially kept for legacy reasons, the app remains in Apple and Android app stores and poses a real risk for users installing them.

The affected app is HBC-MED; iOS and Android versions show the same issues. This app appears to be a legacy management app and has been replaced by another app from the same developer.

MiCare HealthTech Holdings app listings in the App Store, with the legacy, leaky app shown on the left and the new one on the right

Left: Old app that leaks data | Right: New app that does not leak user data

We want to emphasize that the new app is not affected by the same flaws as the legacy one.

Log showing the legacy MiCare HealthTech Holdings app transmitting user data over HTTP in plain text

Example of a request leaking user credentials

There are several requests leaking data, and the following data is being leaked while interacting with the app:

  • Username

  • Password

  • National ID

  • Subscribed insurance/healthcare policy

  • Device HW specification (Android app only)

This credentials leak comes with another possibility of misuse. Given the nature of the leaky app, it is meant to manage users’ healthcare information. As clearly seen from the screenshot publicly shared in the app stores, the app has access to user personal data, medical card data and any dependent’s data. We could not confirm the extent of this data as we do not have any kind of working account for this healthcare management company. It is possible that this app has access to sensitive personal and healthcare data due to the nature of its purpose.

Medical app interface with sections that include data like a medical card, panel provider, dependents and more

App’s interface showing access to data. Source: App Store for iPhone

Even though the affected users are very limited in number, we believe this type of private data exposure is critical and deserves attention.

Defend against data leaks with Jamf

Jamf for Mobile helps you protect your devices from leaky apps:

  • Zero Trust Network Access (ZTNA) ensures only trusted users on managed device can access work apps and data.
  • Continuously monitoring app risk levels and network traffic controls helps prevent specific apps from transmitting data entirely.
  • Leveraging Apple’s On-Device Content Filtering allows you to block all network traffic from specific applications identified as data leakage risks.

Learn more about Jamf for Mobile >>

Dive into Jamf Threat Labs research on our blog.

Read More
Tags: