Thousands of Android and iOS apps exposed user data due to commonly found cloud misconfigurations, according to a mobile security firm. The issues could allow malicious attackers to exploit the leaked information. The researchers found misconfiguration problems on apps using popular public cloud services such as Amazon Web Services, Google Cloud, and Microsoft Azure. Among other apps, a mobile wallet developed by a Fortune 500 company was spotted exposing session and payment information of users that could lead to fraud.
The researchers at Zimperium conducted an automated analysis of more than 1.3 million Android and iOS apps in which they found misconfiguration problems on 14 percent of the total testing base. In a blog post, the company noted that it detected apps that leak the entire cloud infrastructure scripts and definitions including SSH keys.
“Other types of configurations are Web server config files, installation files, and even passwords to payment kiosks,” the company said in the post.
The apps were found to expose personally identifiable information (PII) including profile pictures, personal details, and medical test data. Some apps even enabled fraud or exposed intellectual property (IP) data and internal systems.
Apps exposing PII included some medical and social media apps as well as a major game app and a fitness app. Major city transportation, online retailer, and gambling apps were also noticed enabling fraud. Further, major music, news service, mobile payments wallet, airport, hardware developer, and Asian government travel apps were found to expose IP and system details. Zimperium, however, didn’t reveal the exact name of the apps exposing data.
“During our review, we encountered several apps relying on both Google and Amazon storage that was accessible without any security. In one example, the information we were able to obtain included profile pictures and other PII information,” Zimperium said.
The researchers also found that in some cases, the misconfigurations allowed hackers to even change or overwrite data that could bring further disruption for end users.
Wired reported that a total of 11,877 Android apps and 6,608 iOS apps were exposing users’ sensitive information through common cloud misconfigurations.
The researchers contacted some app developers about the exposures, though many apps were found to have still exposed data. The response from most of the app developers reached out was also minimal.
Cloud service providers such as Amazon, Google, and Microsoft do provide ways to protect data from being exposed. However, it is the ultimate responsibility of developers and the companies that offer apps to use appropriate configurations to ensure safety of their users.
“Once you’ve closed off your cloud service to unauthorised external access, the next thing you can do is to use a service that assesses your secure software development lifecycle as part of your standard development process,” Zimperium said.
Importantly, Zimperium is one of the three mobile security companies that are a part of Google’s App Defense Alliance initiative, that is aimed to offer automated app scanning for Google Play.
Wired reported that Zimperium researchers used the same set of tools it uses for the App Defense Alliance programme to investigate cloud misconfigurations. However, instead of looking for accidental exposures, the company uses the tools for Google Play to find potentially malicious functionality.