Menu
Millions of sensitive records exposed by mobile apps leaking back-end credentials

Millions of sensitive records exposed by mobile apps leaking back-end credentials

Developers have hard-coded credentials for back-end services into thousands of mobile apps, researchers found

Thousands of mobile applications, including popular ones, implement cloud-based, back-end services in a way that lets anyone access millions of sensitive records created by users, according to a recent study.

The analysis was performed by researchers from the Technical University and the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, and the results were presented Friday at the Black Hat Europe security conference in Amsterdam. It targeted applications that use Backend-as-a-Service (BaaS) frameworks from providers like Facebook-owned Parse, CloudMine or Amazon Web Services.

BaaS frameworks offer cloud-based database storage, push notification, user administration and other services that developers can easily use in their apps. Their goal is to minimize the knowledge needed to maintain the back-end servers of an application.

All developers have to do is sign up with a BaaS provider, integrate its software development kit (SDK) in their applications, then use its services through simple application programming interfaces (APIs).

The researchers looked at how developers use APIs and discovered that many of them include their primary BaaS access keys inside their apps. This a very dangerous practice, because applications, especially mobile ones, can be easily reversed engineered to extract such credentials and access their back-end databases.

In order to see how widespread the problem was, the researchers built a tool that uses both static and dynamic analysis to identify which BaaS provider is used by an application and to extract the BaaS access keys from it, even if they’re obfuscated or computed at runtime.

They ran their tool against more than two million Android and iOS apps and extracted 1,000 back-end credentials and associated database table names. Many of those credentials were reused in multiple apps from the same developer and, in total, they provided access to over 18.5 million records containing 56 million data items.

The researchers did not actually download the records, but they were able to count them and figure out their type by simply looking at the database tables. The records included car accident information, user-specific location data, birthdays, contact information, telephone numbers, pictures, valid email addresses, purchase data, private messages, baby growth data and even whole server backups.

The researchers even found a mobile Trojan that used a BaaS service to store data and SMS messages stolen from infected devices, along with the attackers’ own commands and planned tasks.

The inclusion of BaaS credentials in applications not only exposes data records to theft  by anyone, but also to manipulation or deletion. Attackers could also use the credentials to store data in those databases at the expense of the real account owners who might not even realize that this is happening.

Google, Apple and the BaaS providers have been contacted about the issue since April, and in turn notified some of the developers whose apps were affected. However, as of Nov. 12, access to over 52 million data items was still freely available with the exposed credentials, the researchers said.

Some of this data is in limbo, because the apps that created it don’t even exist anymore as their developers moved on to other things. The service providers can’t simply delete it either, because the accounts are still active.

This suggests that developers either don’t care or don’t know how to fix the problem.

Some BaaS providers, like Amazon and Parse, offer more advanced access control and the ability to authenticate individual app users with the back-end services instead of the whole app. However these can be hard to implement.

In some cases, implementing such identity management is so complicated that it defeats the primary goal of BaaS frameworks, which is to simplify developers’ jobs.

It’s no wonder that developers choose the easy route, which is also the insecure one, the researchers said.

While this is ultimately the developers’ problem, BaaS providers could improve their documentation so that even app creators with no security education can understand how to use the technology and the risks they're exposed to if they don’t do it properly. Providers could even force developers to take action by detecting apps that access their services using root access keys and displaying a warning, the researchers said.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags BLACK HAT EUROPE

Brand Post

What to expect from your IT Distributor

Whether you’re just starting out or you’ve been around since before the dot com rollercoaster, choosing the right distribution partner can be a pivotal factor in your success. This definitive guide outlines the traits that every IT partner needs to look for in their IT Distributor.

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments