Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Poor Backend Security Practices Expose Sensitive Data

Researchers discovered that the poor security practices of mobile app developers relying on Backend-as-a-Service (BaaS) offerings to make their job easier lead to the exposure of millions of records of potentially sensitive information.

Researchers discovered that the poor security practices of mobile app developers relying on Backend-as-a-Service (BaaS) offerings to make their job easier lead to the exposure of millions of records of potentially sensitive information.

An increasing number of Android and iOS applications are designed to store user data in the cloud to allow customers to access their information from multiple devices. However, many app developers don’t possess the skills or resources necessary for developing and maintaining a backend, which is why they turn to BaaS providers such as Facebook-owned Parse, CloudMine, and Amazon Web Services (AWS).

These services provide features such as data storage, user administration, and push notifications via software development kits (SDKs) and application programming interfaces (APIs). These APIs and SDKs allow developers to integrate the service into their products with just a few lines of code.

While BaaS providers like Parse, CloudMine and AWS offer security features, such as data encryption and access control, which can be used to ensure that the data handled by the service is protected, the defaults are highly insecure and many developers don’t bother changing them.

In a presentation last week at the Black Hat Europe security conference, Siegfried Rasthofer and Steven Arzt, PhD students at the Technical University of Darmstadt in Germany, detailed the security risks associated with the use of BaaS services and disclosed the results of a study conducted with the aid of a custom tool designed to find vulnerable applications.

The researchers pointed out that, by default, most BaaS solutions rely on an ID and a “secret” key for authentication. Malicious actors can easily extract these credentials from the targeted mobile apps, giving them access to the backend with the same privileges as the application.

Rasthofer and Arzt have developed a fully automated tool, dubbed HAVOC, that can be used to identify potentially vulnerable applications, extract credentials from them, and test their validity.

The experts have used the tool to analyze a total of more than two million Android applications from Google Play and third-party app stores, and identified over 1,000 backend credentials, many of which have been reused for several applications. The analysis uncovered more than 18.6 million records with over 56 million individual data items that could be easily accessed.

Advertisement. Scroll to continue reading.

An analysis of the mobile apps leveraging the BaaS service from Parse revealed car accident information, pictures, location data, email addresses, phone numbers, dates of birth, financial transaction data, and Facebook profile details. In the case of applications using Amazon’s BaaS, experts discovered server backups, pictures, private messages, web page content, lottery data, and health records. In some cases, the apps allow attackers not only to access the data, but also modify it.

The research also revealed that some BaaS features can be abused for remote code execution on a targeted server, sending spam emails, and sending out push notifications containing potentially malicious URLs. Experts also discovered that some pieces of malware also leverage BaaS frameworks.

Since the issues impact a large number of mobile applications, the researchers reached out to the BaaS providers Amazon and Facebook, and to app store owners Google and Apple so that they can notify the developers of affected applications.

However, the fact that service providers have been notified hasn’t helped much. Rasthofer and Arzt discovered roughly 56 million pieces of data at the beginning of their research and Facebook was contacted in April, but at the time of disclosure last week the researchers reported that they still had access to the same amount of records.

“We have suggested several mitigations to these problems, from better defaults for BaaS platforms, to better developer education and automatic vulnerability checks on applications uploaded to app stores. In general, app developers need to better understand that every app has security implications, which must be taken into consideration as part of the basic design of the app,” researchers said in their paper.

Related Reading: Mobile Gambling Apps Expose Enterprise Data: Report

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.