Gadgets
Thousands of Mobile Apps Expose User Data from the Cloud: Zimperium
Apps exposing PII included some medical and social media apps as well as a major game app and a fitness app. Major city transportation, online retailer, and gambling apps were also noticed enabling fraud. Further, major music, news service, mobile payments wallet, airport, hardware developer, and Asian government travel apps were found to expose IP and system details. Zimperium, however, didn’t reveal the exact name of the apps exposing data.
“During our review, we encountered several apps relying on both Google and Amazon storage that was accessible without any security. In one example, the information we were able to obtain included profile pictures and other PII information,” Zimperium said.
The researchers also found that in some cases, the misconfigurations allowed hackers to even change or overwrite data that could bring further disruption for end users.
Wired reported that a total of 11,877 Android apps and 6,608 iOS apps were exposing users’ sensitive information through common cloud misconfigurations.
The researchers contacted some app developers about the exposures, though many apps were found to have still exposed data. The response from most of the app developers reached out was also minimal.
Cloud service providers such as Amazon, Google, and Microsoft do provide ways to protect data from being exposed. However, it is the ultimate responsibility of developers and the companies that offer apps to use appropriate configurations to ensure safety of their users.
“Once you’ve closed off your cloud service to unauthorised external access, the next thing you can do is to use a service that assesses your secure software development lifecycle as part of your standard development process,” Zimperium said.
Importantly, Zimperium is one of the three mobile security companies that are a part of Google’s App Defense Alliance initiative, that is aimed to offer automated app scanning for Google Play.
Wired reported that Zimperium researchers used the same set of tools it uses for the App Defense Alliance programme to investigate cloud misconfigurations. However, instead of looking for accidental exposures, the company uses the tools for Google Play to find potentially malicious functionality.
Pingback: Instagram for Kids Shouldn’t Be Launched, Advocacy Group Urges Zuckerberg