Researchers discovered that the poor security practices of mobile app developers relying on Backend-as-a-Service (BaaS) offerings to make their job easier lead to the exposure of millions of records of potentially sensitive information.
An increasing number of Android and iOS applications are designed to store user data in the cloud to allow customers to access their information from multiple devices. However, many app developers don’t possess the skills or resources necessary for developing and maintaining a backend, which is why they turn to BaaS providers such as Facebook-owned Parse, CloudMine, and Amazon Web Services (AWS).
These services provide features such as data storage, user administration, and push notifications via software development kits (SDKs) and application programming interfaces (APIs). These APIs and SDKs allow developers to integrate the service into their products with just a few lines of code.
While BaaS providers like Parse, CloudMine and AWS offer security features, such as data encryption and access control, which can be used to ensure that the data handled by the service is protected, the defaults are highly insecure and many developers don’t bother changing them.
In a presentation last week at the Black Hat Europe security conference, Siegfried Rasthofer and Steven Arzt, PhD students at the Technical University of Darmstadt in Germany, detailed the security risks associated with the use of BaaS services and disclosed the results of a study conducted with the aid of a custom tool designed to find vulnerable applications.
The researchers pointed out that, by default, most BaaS solutions rely on an ID and a “secret” key for authentication. Malicious actors can easily extract these credentials from the targeted mobile apps, giving them access to the backend with the same privileges as the application.
Rasthofer and Arzt have developed a fully automated tool, dubbed HAVOC, that can be used to identify potentially vulnerable applications, extract credentials from them, and test their validity.
The experts have used the tool to analyze a total of more than two million Android applications from Google Play and third-party app stores, and identified over 1,000 backend credentials, many of which have been reused for several applications. The analysis uncovered more than 18.6 million records with over 56 million individual data items that could be easily accessed.
An analysis of the mobile apps leveraging the BaaS service from Parse revealed car accident information, pictures, location data, email addresses, phone numbers, dates of birth, financial transaction data, and Facebook profile details. In the case of applications using Amazon’s BaaS, experts discovered server backups, pictures, private messages, web page content, lottery data, and health records. In some cases, the apps allow attackers not only to access the data, but also modify it.
The research also revealed that some BaaS features can be abused for remote code execution on a targeted server, sending spam emails, and sending out push notifications containing potentially malicious URLs. Experts also discovered that some pieces of malware also leverage BaaS frameworks.
Since the issues impact a large number of mobile applications, the researchers reached out to the BaaS providers Amazon and Facebook, and to app store owners Google and Apple so that they can notify the developers of affected applications.
However, the fact that service providers have been notified hasn’t helped much. Rasthofer and Arzt discovered roughly 56 million pieces of data at the beginning of their research and Facebook was contacted in April, but at the time of disclosure last week the researchers reported that they still had access to the same amount of records.
“We have suggested several mitigations to these problems, from better defaults for BaaS platforms, to better developer education and automatic vulnerability checks on applications uploaded to app stores. In general, app developers need to better understand that every app has security implications, which must be taken into consideration as part of the basic design of the app,” researchers said in their paper.
Related Reading: Mobile Gambling Apps Expose Enterprise Data: Report