Billions of records could be in danger due to flaw in mobile app data
The manner in which thousands of popular mobile applications store data online leaves it vulnerable for cybercriminals to hack personal information that includes passwords, addresses, location data and door codes. This has lead the security researchers find a fault in it.
The German researchers team that studied the applications in detail discovered 56 million items of unprotected data, which included social networks, messaging, games, bank transfer and medical apps.
Siegfried Rasthofer, who is a part of the team from the Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology said “In almost every category we found an app which has this vulnerability in it.”
Eric Bodden, Team leader said the number of records that are affected “will likely be in the billions.”
Another security researcher working independently, Colombian Jheto Xekri, said he had also discovered the same fault.
Bodden said that the problem is the developers who write and sell the applications and the way in which they validate users while storing their data in online databases.
Many of such apps use services like Facebook’s Parse or Amazon’s Web Services to share, store or back up users’ data.
Such services do offer developers ways to protect the data; however, many of them choose to go for the default option While such services offer ways for developers to protect the data, most choose the default option, depending on a string of letters and numbers implanted in the software’s code, called a token.
Bodden says attackers can without any effort remove and twist those tokens in the app, which then grants them entry to the private data of all users of that app stored on the server.
However, there is no documented proof that the susceptibility had been exploited say the researchers.
The susceptible applications that count in the tens of thousands include some of the most famous on the Google and Apple app stores, which the researchers refused to name.
All the four companies had replied to their findings said Rasthofer. He further said that on Monday, the Apple staff conveyed that they would as early as possible include warnings to developers to check their security settings again before uploading apps to its App Store to ensure that it is safe.
While Apple and Amazon did not reply to queries, Google refused to comment.
A Facebook spokeswoman said that the company is working with affected developers after being alerted by the researchers regarding the susceptibility. However, she refused to provide more details.
Rasthofer said that Facebook’s Parse lists among its customers some of the world’s biggest companies, all of which are likely to be affected.
Security of users data on mobile applications are likely to be more in danger of than those running on desktop or laptop computers say security researchers. Ibrahim Baggili, who runs a cybersecurity lab at the University of New Haven said that the part reason for this is because putting a stronger security in effect is more difficult and partly because the developers are in a hurry to launch their apps.
The others considered the way in which the apps sends data as its weakness. Bryce Boland, Asia Pacific chief technology offer at internet security company FireEye, said the report showed deeper problems.
He said FireEye found developers send usernames and passwords that are not converted into a code at regular intervals, “so it’s not surprising to find them storing them insecurely as well.”
Bodden pointed out the resemblance of his team’s discovery to the Heartbleed bug, a web-based susceptibility reported last year that left half a million web servers vulnerable to data theft. Security researchers said this might be worse, as there was little users could do, and making use of the susceptibility was easy.
“The amount of effort to compromise data by exploiting app vulnerabilities is far less than the effort to exploit Heartbleed,” said Toshendra Sharma, founder of Bombay-based mobile security company Wegilant.
Other security researchers say that while the developers making those apps are responsible for weak validation, they feel that others in the chain should also take some of the blame.
Domingo Guerra, co-founder of mobile security company Appthority said “The truth is that there is plenty of fault to go around.” He said that app stores and cloud providers should make sure that apps for such flaws should be tested and the best practices should be implemented correctly.