The Android app from dating site Match and a physician’s drug search app made by Athenahealth featured a bug that failed to protect password and user names, a team at Northeastern University has found.

Both apps were among hundreds that the Northeastern researchers found sent personal information such as home addresses and names, and in some cases user names and passwords, from smartphones to company servers without securing that data by encryption.

As a result, any user logging into the app while on a public Wi-Fi network — such as the free networks in cafes or airports — could unwittingly reveal their personal data to others using a simple program to watch network traffic.

“It’s like walking around a room and eavesdropping on conversations,’’ said David Choffnes, a computer science professor and team lead on the project.

Athenahealth acknowledged the bug in its Epocrates app, which some 300,000 doctors in the United States use as a reference guide for medicines.

After Choffnes contacted the Epocrates team about the bug, the company issued a software fix as an app update, then contacted customers who were using the leaky version of the app and instructed them to activate the fix.

“It was information that ideally shouldn’t have been there, and when we found out about it we made sure that vulnerability was eliminated,’’ said Tim O’Brien, chief marketing officer at Athenahealth and a leader of the Epocrates team.

In this instance, a hack into a user’s account would have been harmless, O’Brien said: The app does not store patient data or personal information about the doctor using the app.

Match acknowledged the issue when Choffnes contacted the company last year, according to an e-mail provided by Choffnes. The company appears to have fixed the bug in its latest update, Choffnes and his team found when they tested the app in early January. Match did not respond to a request for comment.

Every app on your phone collects and sends data to the servers of the company that made it, or to third parties. Many of these transactions are integral to the app’s core functions — like your password and login information if you are signing in, or your location information, if you are searching for directions — but apps have also been accused of overreaching in the kinds of data they collect and send.

In either case, consumers are rarely aware of what personal information is being sent — and how and if personal information is being protected.

Choffnes’s chief motivation is to make data transactions from smartphones more transparent to consumers. By using a program to monitor network traffic, Choffnes says he has catalogued apps that were sending personal information in so-called plain text.

“I think this requires constant auditing,’’ Choffnes said, but as a researcher on a budget, he doesn’t intend to take this on full time.

Choffnes acknowledged that most people relaxing with a cappuccino or running to catch a flight are not watching network traffic. 

“But if someone is malicious to begin with, it doesn’t take much — it’s an easy thing to do,’’ he said.

Nidhi Subbaraman can be reached at nidhi.subbaraman@globe.com. Follow her on Twitter @NidhiSubs.