Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Poor Backend Security Practices Expose Sensitive Data

Researchers discovered that the poor security practices of mobile app developers relying on Backend-as-a-Service (BaaS) offerings to make their job easier lead to the exposure of millions of records of potentially sensitive information.

Researchers discovered that the poor security practices of mobile app developers relying on Backend-as-a-Service (BaaS) offerings to make their job easier lead to the exposure of millions of records of potentially sensitive information.

An increasing number of Android and iOS applications are designed to store user data in the cloud to allow customers to access their information from multiple devices. However, many app developers don’t possess the skills or resources necessary for developing and maintaining a backend, which is why they turn to BaaS providers such as Facebook-owned Parse, CloudMine, and Amazon Web Services (AWS).

These services provide features such as data storage, user administration, and push notifications via software development kits (SDKs) and application programming interfaces (APIs). These APIs and SDKs allow developers to integrate the service into their products with just a few lines of code.

While BaaS providers like Parse, CloudMine and AWS offer security features, such as data encryption and access control, which can be used to ensure that the data handled by the service is protected, the defaults are highly insecure and many developers don’t bother changing them.

In a presentation last week at the Black Hat Europe security conference, Siegfried Rasthofer and Steven Arzt, PhD students at the Technical University of Darmstadt in Germany, detailed the security risks associated with the use of BaaS services and disclosed the results of a study conducted with the aid of a custom tool designed to find vulnerable applications.

The researchers pointed out that, by default, most BaaS solutions rely on an ID and a “secret” key for authentication. Malicious actors can easily extract these credentials from the targeted mobile apps, giving them access to the backend with the same privileges as the application.

Rasthofer and Arzt have developed a fully automated tool, dubbed HAVOC, that can be used to identify potentially vulnerable applications, extract credentials from them, and test their validity.

The experts have used the tool to analyze a total of more than two million Android applications from Google Play and third-party app stores, and identified over 1,000 backend credentials, many of which have been reused for several applications. The analysis uncovered more than 18.6 million records with over 56 million individual data items that could be easily accessed.

Advertisement. Scroll to continue reading.

An analysis of the mobile apps leveraging the BaaS service from Parse revealed car accident information, pictures, location data, email addresses, phone numbers, dates of birth, financial transaction data, and Facebook profile details. In the case of applications using Amazon’s BaaS, experts discovered server backups, pictures, private messages, web page content, lottery data, and health records. In some cases, the apps allow attackers not only to access the data, but also modify it.

The research also revealed that some BaaS features can be abused for remote code execution on a targeted server, sending spam emails, and sending out push notifications containing potentially malicious URLs. Experts also discovered that some pieces of malware also leverage BaaS frameworks.

Since the issues impact a large number of mobile applications, the researchers reached out to the BaaS providers Amazon and Facebook, and to app store owners Google and Apple so that they can notify the developers of affected applications.

However, the fact that service providers have been notified hasn’t helped much. Rasthofer and Arzt discovered roughly 56 million pieces of data at the beginning of their research and Facebook was contacted in April, but at the time of disclosure last week the researchers reported that they still had access to the same amount of records.

“We have suggested several mitigations to these problems, from better defaults for BaaS platforms, to better developer education and automatic vulnerability checks on applications uploaded to app stores. In general, app developers need to better understand that every app has security implications, which must be taken into consideration as part of the basic design of the app,” researchers said in their paper.

Related Reading: Mobile Gambling Apps Expose Enterprise Data: Report

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.