Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Thousands of Mobile Apps Expose Data via Misconfigured Cloud Containers

Thousands of mobile applications expose user data through insecurely implemented cloud containers, according to a new report from security vendor Zimperium.

Thousands of mobile applications expose user data through insecurely implemented cloud containers, according to a new report from security vendor Zimperium.

The issue, the company notes, is rooted in the fact that many developers tend to overlook the security of cloud containers during the development process.

Cloud services help resolve the issue of storage space on mobile devices, and developers have numerous such solutions to choose from, some of the most popular being Amazon Web Services, Microsoft’s Azure, Google Storage, and Firebase, among others.

“All of these services allow you to easily store data and make it accessible to your apps. But, herein lies the risk, the ease of use of these services also makes it easy for the developer to misconfigure access policies – – potentially allowing anyone to access and in some cases even alter data,” Zimperium notes.  

An analysis of mobile applications that use cloud storage has revealed that roughly 14% rely on unsecure configurations, potentially exposing Personally Identifiable Information (PII), enabling fraud and/or exposing IP or internal systems and configurations.

PII exposed through these misconfigurations includes profile pictures, addresses, financial information, medical details, and more. Risks that developers face when PII leaks include legal risks (the victim might sue the app developers), and brand damage, among others.

Information leaks may also involve the exposure of details related to the app operations and infrastructure. Some of the analyzed apps would leak their entire cloud infrastructure scripts, SSH keys, web server config files, installation files, or passwords.

An attacker could use this information to learn about the computing infrastructure of an organization, and even takeover the backend infrastructure and even other parts of the organization’s network.

Advertisement. Scroll to continue reading.

Types of iOS and Android apps that were found to expose PII include medical apps, social media apps, major game apps, and fitness apps. Apps that enable fraud through data leaks include a Fortune 500 mobile wallet, a major city transportation app, a major online retailer, and a gambling app.

Among the apps that expose IP and systems, Zimperium found a major music app, a major new service, the apps of a Fortune 500 software company, a major airport, and a major hardware developer, as well as an Asian government travel app.

Zimperium also found apps that used both Google and Amazon cloud storage without any form of security, as well as apps that expose data users shared among them, or which exposed images containing payment details, along with various information related to making online purchases.

To avoid risks, developers should always ensure that external access to the cloud storage/database is secured. Next they could use a service to assess the secure software development lifecycle and address any identified issues.

Related: Mobile Health Apps Found to Expose Million of Records

Related: ‘Find My Mobile’ Vulnerabilities Exposed Samsung Galaxy Phones to Attacks

Related: Long-Patched Vulnerabilities Still Present in Many Popular Android Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.