Thousands of Android and iPhone Apps are Leaking User Data
An advanced mobile security company have found that many Android and IOS apps have improperly secured cloud servers, and personal information is being leaked
Dallas-based security firm, Zimperium has found that over 18,000 Android and IOS apps have been leaking their users' personal data from improperly secured cloud servers, and app misconfigurations. Simple setting errors have been a long-existing issue and one of the main sources of exposure for companies who store data in the cloud. The leaked information varies massively, including huge hosts of personal information such as usernames, real names, phone numbers, email addresses and street addresses, as well as medical test results, session tokens for online banking and shopping websites. Further leaked information includes details of online payment systems and server configurations, airport transportation systems, encryption keys and even blank bank checks were also exposed.
Zimperium scanned over 1.3 million Android and iOS apps, all of whom relied on public cloud services, finding that 14% of mobile apps that use cloud storage had unsecured configurations and were vulnerable security risks. For apps worldwide and across almost every category scanned, the analysis found a number of significant issues that enabled fraud, and/or exposed IP or internal systems and configurations.
“A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up and, because of that, data is visible to just about anyone. And most of us have some of these apps right now,”* - Shridhar Mittal, CEO, Zimperium
*said in an interview with Wired
Zimperium has chosen not to release the names of the companies who have weakened security systems as many people would be able to access the exposed data (given that they have a browser, command-line tools and knew where to look) without having to guess a password. Although their report mentions that among the long list of insecure apps are a "Fortune 500 mobile wallet," a "major game app," a "social media apps," a "major online retailer" and a "major music service."
Zimperium is one of the mobile security firms that has been signed up by Google for the App Defence Alliance initiative, which regularly scans apps on the Google Play store with the aim of making Google Play a safe App Store and removing malicious apps. Even though this initiative is in place, Amazon, Google or Microsoft don't go around and make sure each and every one of their cloud-computing clients have properly secured their databases, this is for the clients to ensure, but as we have seen, many don't pay enough attention. They're like someone opening up a boutique storefront while forgetting to lock the back door into the alley.
The issue at hand is that most smartphone apps rely on cloud databases to hold user data, the apps you use, for content steaming, social media, food delivery, what you see is just the front end of an online repository on a server that's often leased from Amazon, Google or Microsoft. "The process of securing these cloud containers used by mobile applications tends to be overlooked by app developers while the impact of a misconfigured cloud container on the app developer, their business and their users can be extremely high," said the Zimperium report.
According to the interview, Mittal said that the company recently used the same tools to look for accidental exposures, only to discover 11,877 Android apps and 6,608 iOS apps, that were exposing all kinds of personal information about their users. Zimperium also discovered network credentials, system configuration files, and even server architecture keys in some of the exposed data.
Zimperium is helping app developers to assess the current security status of apps’ cloud containers, and providing them with the tools and solutions needed to effectively secure the cloud container of choice and prevent information from leaking. It is so important to raise awareness from an industry standpoint on the need for mobile app develops to be more accessible so they can receive and address security concerns stemming from the app being developed. This awareness will help to stop data leaks and unsecured back-end systems so more users are able to confidently and comfortably, share their data with the apps they are using.
Keep up-to-date with the latest tech industry insights, trends as well as information technologies, app development, and small business content with the Proteams Blog
Follow us on LinkedIn for updates on the latest tech news here