Hundreds of mobile applications that use the Twilio SDK or REST API include hardcoded credentials that could be abused to access millions of calls and text messages, researchers warned on Thursday.
Appthority’s Mobile Threat Team has analyzed more than 1,100 iOS and Android applications that use Twilio, a cloud communications platform designed for developing voice and messaging apps.
Twilio’s documentation provides guidance on best security practices, but researchers found that 686 apps from 85 developers exposed Twilio account IDs and access tokens (i.e. passwords). Roughly one-third of the applications containing hardcoded Twilio credentials are business-related, and the ones designed for Android have been downloaded between 40 and 180 million times.
The affected apps, more than 170 of which are still available on Google Play and the Apple App Store, include software used for secure communications by a federal law enforcement agency, one that allows sales teams to record audio and annotate discussions in real-time, and navigation apps for AT&T and US Cellular customers.
Researchers estimated that by extracting the Twilio account credentials from the source code of these apps, malicious actors could have gained access to hundreds of millions of call records, calls and call audio recordings, and SMS and MMS messages. North America, the U.K. and Australia are the most affected regions.
The vulnerability, which Appthority has dubbed “Eavesdropper,” was discovered in April and Twilio was notified in July. The service provider has been working with the developers of the impacted apps to address the issue.
However, researchers pointed out that the only way for developers to properly address the problem is to get their users to install an updated version of their app that does not include hardcoded credentials and change their Twilio account tokens.
Hardcoded credentials can pose a serious risk, not just for apps that use Twilio. Appthority warned that roughly 40% of the analyzed applications also expose Amazon S3 credentials.
Researchers have found credentials for more than 2,000 Amazon accounts in the analyzed apps. A closer analysis showed that roughly 900 of the accounts are still active and they provide access to nearly 22,000 S3 buckets, including ones that store potentially sensitive information.
“Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning,” warned Seth Hardy, Appthority Director of Security Research. “An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data.”
Earlier this year, Appthority reported that more than 1,000 iOS and Android applications installed on enterprise mobile devices had been exposing sensitive data via backend systems.