Security researchers found that developers building applications using the Twilio Rest API or SDK platform have carelessly hard-coded credentials into these applications resulting a large-scale data exposure.
Dubbed “Eavesdropper”, the flaw was discovered by security researchers at Appthority. It affects nearly 700 apps in enterprise mobile environments, more than 170 of which are live in the official app stores today. Affected Android apps alone have been downloaded up to 180 million times. Approximately 33 percent of the Eavesdropper apps found are business related. The exposure has been present since 2011.
Examples of apps with the Eavesdropper vulnerability include an app for secure communication for a US federal law enforcement agency, an app that enables enterprise sales teams to record audio and annotate discussions in real-time, and branded and white label navigation apps for customers such as AT&T and US Cellular.
Researchers detailed in a new report how the problem is not specific to developers who create apps with Twilio. Hard coding of credentials is a pervasive and common developer error that increases the security risks of mobile apps, researchers said.
The vulnerability does not rely on a jailbreak or root of the device, nor does it take advantage of a known OS vulnerability or attack via malware. Rather, this vulnerability shows how a simple developer mistake of exposing credentials in one app can affect larger families of apps by that same developer using the same credentials, even compromising other apps where best practices were followed, using side-channel and historical attacks.
“A motivated attacker with automated tools to convert the audio to text and search for specific keywords will almost certainly be rewarded with valuable data,” said Michael Bentley, senior director of Security Research at Appthority in a blog post.
“The scope of the exposure is massive including hundreds of millions of call records, minutes of calls and audio recordings, and text messages.”
An Eavesdropper attack only requires three steps to execute: reconnaissance, exploitation, and exfiltration. First, the attacker searches for apps that employ Twilio. Some apps advertise that they do so (eg RingDNA); others can be found by downloading apps that have messaging, recording, or call functionality.
Next, using a service such as VirusTotal or a tool such as YARA, apps can be found that identify strings inside apps and search for the string “twilio”. Identify Twilio credentials, which consist of a Twilio ID and a token/password which will generally be within 100 bytes of each other and near the api.twilio.com call.
After that, there are many methods to access the account and browse or exfiltrate data. “There is no need to perform weaponisation or the other steps as the files are undefended. Once the messaging and audio files have been exfiltrated, the attacker can run a simple script to convert audio files to text and search the text for keywords that would lead to proprietary or sensitive data,” said Bentley.
Dr Guy Bunker, SVP of products at Clearswift, told SC Media UK that the challenge here is for organisation to understand the apps that their employees are using and the security vulnerabilities which may be in the apps.
“In this case, there are hundreds of apps which are impacted by the flaw, and organisations need to put in place a mitigation plan immediately. Most organisations do not know what apps employees have on their mobile devices – there will be some which are sanctioned by IT – but there will be many others which are not. Sending out a request for users to remove affected apps is important, but it also exposes a wider need for regular auditing and control,” he said.
Tim Erlin, VP of product management and strategy at Tripwire, told SC Media UK that hard coded passwords for app development should not be used. “The challenge is that this advice is not just best practice, but really basic practice, yet some developers still haven't gotten the message. App developers really need to educate themselves on secure software development practices in order to prevent vulnerabilities like this one,” he said.
Winston Bond, EMEA technical director at Arxan Technologies, told SC Media UK that using anti-reverse engineering tools would make it more difficult for an attacker to identify an app as being vulnerable or to extract the information needed to carry out the attack. “But that is just a short-term band-aid. It is a better idea to buy a safe for your corporate crown jewels,” he added.