A survey shows that the cloud of a worrying number of Android and iOS apps is misconfigured, exposing the data of many users. Hackers then have access to personal and medical data, and sometimes even unencrypted accounts and passwords!
Zimperium security researchers warn of a disturbing phenomenon. Thanks to automated tests, they realized that tens of thousands of applications rely on a cloud service misconfigured by its developer. This exposes some sensitive data stored there.
Zimperium is part of Google’s App Defense alliance which brings together handpicked actors whose role is, in addition to Google Play Protect, to scan the Google Play Store for highlight any security issue in the app store. These bad configurations affect all categories of applications.
Cloud configuration issues: all categories of applications are affected
Zimperium explains that the same problems are found both on applications that have a few thousand downloads as well as applications with several million. Because of the extent of the problem, the organization prefers not to disclose the list of affected applications.
Researchers could not, in fact, warn so many developers. And when they did, they realized that the reaction of those concerned was at best insufficient. Among the applications concerned is, according to the firm, a digital wallet published in a Fortune 500 company – which exposes user session data as well as financial data.
But also medical applications with test results, and even profile photos, in clear, without any encryption. Zimperium also talks about the case of a transport application for a large city that provides unencrypted access to bank data. In addition to this sensitive user data, researchers have occasionally found network login / password pairs, system configuration files, and server architecture keys.
Also read this example: a security breach threatens the Go SMS Pro application, millions of private photos in the wild
AWS, Azure, Google Cloud … developers forget that they are the sole masters of their security
What to give them a deep access to the IT infrastructure of these companies. In one case, the researchers even report thata server allowed anyone to erase or change data without elevation of privilege. In all, the firm explains having discovered that the cloud of at least 20,000 Android and iOS applications was misconfigured to the point of threatening the security of their users.
The root of the problem is undoubtedly that the modern web, and applications, are based on turnkey cloud services that allow developers to focus primarily on the functionality of their application rather than really getting their hands dirty to build and maintain their own cloud solution.
To date, there are mainly three major cloud players: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. However, if these platforms effectively simplify the implementation of the cloud infrastructure, they do not protect developers against code problems in their applications.
And because they only manage a small piece of the infrastructure, devs tend to lower their guard a bit. This is also why services like AWS do what they can to notify developers in advance when they detect configuration problems. However, Amazon like its competitors cannot magically make these configuration issues go away.
Android and iOS users still lack information on app security
“For users, this means that personal data can be exposed: medical data, test results, phone numbers, and even the password of certain accounts. However, this is also a risk for companies. Hackers can gain information that helps them carry out deeper attacks ”, notes Shridhar Mittal, CEO of Zimperium.
It is therefore up to developers to be particularly vigilant. There is nothing virtual about the risks: groups of hackers are constantly scanning app stores to find cloud configuration issues. And it’s a safe bet that the latter are carrying out covert attacks based on these types of errors as we write these lines.
For now, unfortunately users cannot do anything. Apple does have cards in place that show how each app uses your personal data – which can help direct you to apps that collect less data. But nothing, neither on the App Store nor on the Play Store, yet really makes it possible to realize the degree of security of the cloud solution of a given application.