Thousands of Android and iOS apps have uncovered user data as a result of commonly detected cloud malfunctions, according to a mobile security company. The cases could allow malicious attackers to take advantage of the leaked information. The researchers found troubleshooting issues on apps using popular public cloud services such as Amazon Web Services, Google Cloud, and Microsoft Azure. Among other apps, a mobile wallet developed by the Fortune 500 company was seen featuring session and user payment information that could lead to fraud.
Researchers at Zimperium automatically analyzed more than 1.3 million Android and iOS apps in which they found malfunctioning problems on 14 percent of the total test base. In a blog post, the company noted that it found apps that release all the scripts and definitions of cloud infrastructure including SSH keys.
“Other types of configurations are web server configuration files, installation files, and even passwords to payment slots,” the company said in the post.
The apps were found to display personally identifiable information (PII) including profile pictures, personal details, and medical test data. Some apps even enabled fraud or open intellectual property (IP) data and internal systems.
Apps featuring PII included some medical and social media apps as well as a main game app and a fitness app. Urban transportation, online wholesale, and gambling apps were also noticed to enable fraud. Further, major music, news service, mobile payments wallet, airport, hardware developer, and Asian government travel apps were found revealing IP and system details. Zimperium, however, did not reveal the exact name of the apps that display data.
“In our review, we encountered a number of apps that relied on both Google and Amazon that were accessible without any security. In one example, the information we were able to access included profile pictures and other PII information, ”said Zimperium.
The researchers also found that, in some cases, the misunderstandings allowed hackers to even modify or overwrite data that could lead to more confusion for end users.
Wired reported that a total of 11,877 Android apps and 6,608 iOS apps displayed user-sensitive information through common cloud distortion.
The researchers contacted some app developers about the revelations, although it was found that many apps had yet to reveal data. There has been little response from most app developers.
Cloud service providers like Amazon, Google, and Microsoft provide ways to protect data from being exposed. However, it is up to the developers and the companies that offer apps to use appropriate configuration to ensure the safety of the users.
“Once you close your cloud service to unauthorized external access, the next thing you can do is use a service that assesses your product development lifecycle. secure software as part of your normal development process, ”said Zimperium.
Importantly, Zimperium is one of three mobile security companies that are part of the Google Defense App Alliance campaign, which aims to offer automated app scanning for Google Play.
Wired said Zimperium researchers used the same set of tools it uses for the App Defense Alliance program to investigate cloud compromises. However, instead of looking for anonymous revelations, the company uses the tools for Google Play to detect potentially malicious activity.
Does WhatsApp’s new privacy policy spell the end of your privacy? We discussed this on Orbital, our weekly tech podcast, which you can subscribe via Apple Podcasts, Google Podcasts, or RSS, download the program, or just hit the play button below.