Updated: Millions of mobile app users threatened by lax security coding flaw

A team of German researchers claims to have uncovered poor programming practice that is exposing thousands of mobile apps to data breaches.

Updated: Millions of mobile app users threatened by lax security coding flaw
Updated: Millions of mobile app users threatened by lax security coding flaw

The flaw potentially exposes users' personal data because of the way app developers authenticate users when storing and retrieving data from cloud databases such as Facebook's Parse and Amazon Web Services (AWS).

The researchers, from the Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology, studied 750,000 apps from Google Play Store and Apple's App Store and discovered that many of them used simple API-tokens for authentication, even though other, more secure options are available.

This runs counter to best practice advice from the cloud storage providers themselves.

A spokesperson for Amazon Web Services said: “AWS recently was made aware of a small number of mobile application developers who have published applications that contain AWS credentials. We believe that affected developers inadvertently embedded their own AWS credentials within their mobile applications, which could lead to unauthorised use of the developer's AWS services and data. AWS has contacted each of the developers directly to provide guidance on how to remove their credentials from the application, encourage them to carefully examine their AWS resources for unauthorised activity and provide assistance as needed.”

Professor Eric Bodden, the leader of the research team, said it found 56 million unprotected data sets. “Due to legal restrictions and the huge amount of suspicious apps, we could only inspect a small number in detail”, he said. “However, our findings and the nature of the problem indicate that an enormous amount of app-related information is open to identity theft or even manipulation.”

Bodden's team has informed the cloud providers and the German Federal Office for Information Security (BSI). “With Amazon's and Facebook's help we also informed the developers of the respective apps and they really are the ones who need to take action because they underestimated the danger”, he said.

Winston Bond, European technical manager, Arxan Technologies wasn't surprised by the findings. “Whilst I haven't personally come across this vulnerability, the underlying problem in the development lifecycle that is leaving this kind of data open is something we see frequently in the industry.”

The AWS spokesperson said, “Developers can prevent this from happening by following industry and AWS-recommended security best-practices and using the tools AWS provides for credential protection and management in mobile applications, such as AWS Identity Access Management (IAM) resource policies, AWS IAM Roles, AWS Token Vending Machine (TVM), AWS Web Identity Federation (WIF) and Amazon Cognito.”

Bond said it needs to be more difficult to find personally identifiable information, passwords or location data and therefore less easy to exploit. “We know developers are under increasing pressure to quickly deliver new or updated applications which are feature rich, but this means security continues to be pushed to the wayside. The majority of the time developers have relied on the default settings available, making an assumption they will be sufficient, or they copy directly from an existing sample app that does not address the unique vulnerabilities associated with mobile applications and the data they manage.”

More robust protection needs to be inserted directly into the app at the binary level, he said. “Without this level of protection, apps are at risk, because it's easy for a hacker to reverse-engineer binary code back to source code.  With access to the source code, hackers can replicate, extract and make changes. In this case, if binary protection was within the applications, then it wouldn't have made the passwords and data so easily findable and exploitable.” 

Developers should also consider using ‘whitebox' cryptography technology so services will only talk to the authorised application. “It is one thing for the app to be able to talk to the server but the big problem comes when you can extract the password and use anything to talk to the server,” he said.

And he added: “In today's highly distributed mobile application environment, it's virtually impossible to secure all the networks and devices that are leveraged, so establishing application protections, particularly at runtime, is essential.”

Sign up to our newsletters