Menu
Millions of sensitive records exposed by mobile apps leaking back-end credentials

Millions of sensitive records exposed by mobile apps leaking back-end credentials

Developers have hard-coded credentials for back-end services into thousands of mobile apps, researchers found

Thousands of mobile applications, including popular ones, implement cloud-based, back-end services in a way that lets anyone access millions of sensitive records created by users, according to a recent study.

The analysis was performed by researchers from the Technical University and the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, and the results were presented Friday at the Black Hat Europe security conference in Amsterdam. It targeted applications that use Backend-as-a-Service (BaaS) frameworks from providers like Facebook-owned Parse, CloudMine or Amazon Web Services.

BaaS frameworks offer cloud-based database storage, push notification, user administration and other services that developers can easily use in their apps. Their goal is to minimize the knowledge needed to maintain the back-end servers of an application.

All developers have to do is sign up with a BaaS provider, integrate its software development kit (SDK) in their applications, then use its services through simple application programming interfaces (APIs).

The researchers looked at how developers use APIs and discovered that many of them include their primary BaaS access keys inside their apps. This a very dangerous practice, because applications, especially mobile ones, can be easily reversed engineered to extract such credentials and access their back-end databases.

In order to see how widespread the problem was, the researchers built a tool that uses both static and dynamic analysis to identify which BaaS provider is used by an application and to extract the BaaS access keys from it, even if they’re obfuscated or computed at runtime.

They ran their tool against more than two million Android and iOS apps and extracted 1,000 back-end credentials and associated database table names. Many of those credentials were reused in multiple apps from the same developer and, in total, they provided access to over 18.5 million records containing 56 million data items.

The researchers did not actually download the records, but they were able to count them and figure out their type by simply looking at the database tables. The records included car accident information, user-specific location data, birthdays, contact information, telephone numbers, pictures, valid email addresses, purchase data, private messages, baby growth data and even whole server backups.

The researchers even found a mobile Trojan that used a BaaS service to store data and SMS messages stolen from infected devices, along with the attackers’ own commands and planned tasks.

The inclusion of BaaS credentials in applications not only exposes data records to theft  by anyone, but also to manipulation or deletion. Attackers could also use the credentials to store data in those databases at the expense of the real account owners who might not even realize that this is happening.

Google, Apple and the BaaS providers have been contacted about the issue since April, and in turn notified some of the developers whose apps were affected. However, as of Nov. 12, access to over 52 million data items was still freely available with the exposed credentials, the researchers said.

Some of this data is in limbo, because the apps that created it don’t even exist anymore as their developers moved on to other things. The service providers can’t simply delete it either, because the accounts are still active.

This suggests that developers either don’t care or don’t know how to fix the problem.

Some BaaS providers, like Amazon and Parse, offer more advanced access control and the ability to authenticate individual app users with the back-end services instead of the whole app. However these can be hard to implement.

In some cases, implementing such identity management is so complicated that it defeats the primary goal of BaaS frameworks, which is to simplify developers’ jobs.

It’s no wonder that developers choose the easy route, which is also the insecure one, the researchers said.

While this is ultimately the developers’ problem, BaaS providers could improve their documentation so that even app creators with no security education can understand how to use the technology and the risks they're exposed to if they don’t do it properly. Providers could even force developers to take action by detecting apps that access their services using root access keys and displaying a warning, the researchers said.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags BLACK HAT EUROPE

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments