If there were ever a compelling season to not trust third-party app developers with your data, it’s this. A mobile security firm has found data leaks from thousands of third-party Android and iOS apps through cloud storage.
Data Leaks Discovered
It would be great to say this is stunning news, but it’s not. It’s really not all that surprising that user data was leaked while unsuspecting mobile users continued to set up their many accounts.
It all comes down to data being mishandled. It doesn’t appear to be egregious – it was just carelessness. Instead of storing data on their own servers, third-party mobile app developers carelessly stored user data in the cloud and more or less left the door open.
Mobile security term Zimperium ran an automated analysis on 1.3 million Android and iOS apps, checking for misconfigurations in the storage of data. 84,000 Android apps and nearly 47,000 iOS apps were found to be using a public cloud service to store user data. Services such as Amazon Web Services, Google Cloud, and Microsoft Azure were used. Of those apps using cloud storage, 14 percent exposed users’ personal information, which included passwords and even medical information.
“It’s a disturbing trend,” says Shridhar Mittal, Zimperium’s CEO. “A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up, and because of that, data is visible to just about anyone. And most of us have some of these apps right now.”
What’s worse is that the researchers reached out to some of the developers and had very little response – and many of the apps still have exposed data.
Potentially, the data leaks include a lot of personal information on the users. Some of the apps had a few thousand users, while others had a few million. Financial data from a mobile wallet belonging to a Fortune 500 company is among the exposed data. So is a large city’s transportation data and the testing data from medical apps,
Zimperium did not try to ascertain whether attackers had found the exposed data, but bad actors would certainly be able to use the same public methods the researchers did to access the information. And they wouldn’t just be able to view the exposed data. Some of the misconfigurations would allow attackers to change or overwrite the data.
Who’s Responsible for this Mess?
The cloud providers do try to watch for misconfigurations, but this is really up to the developers to check on this storage and to make sure it’s working as intended.
It absolutely makes sense that misconfiguration could be a widespread issue,” said security researcher Will Stafrach. “I’ve seen AWS buckets with bad permissions, and I’ve also seen multiple VPN nodes exposing data. I’ve seen a lot of apps from companies who should know better that have horrible security issues.”
Zimperium also works in Google’s App Defense Alliance Initiative to check apps on the Play store. The difference with that work is that they are looking for malicious activity instead of the accidental data leaks of the cloud exposure.
Mittal is just hoping after all this to raise awareness of this situation.