Menu
Coding error could have exposed data on 180M phones

Coding error could have exposed data on 180M phones

The finding follows research by cyber-security firm Appthority

A simple coding error in at least 685 apps put millions of smartphone users at risk of having some of their calls and text messages intercepted by hackers, cyber-security firm Appthority has warned.

Developers mistakenly coded credentials for accessing text messaging, calling and other services provided by Twilio, said Appthority's director of security research, Seth Hardy. Hackers could access those credentials by reviewing the code in the apps, then gain access to data sent over those services, he said.

Affected apps include the AT&T Navigator app pre-installed on many Android phones and more than a dozen GPS navigation apps published by Telenav. Such apps have been installed as many as 180 million times on Android phones and an unknown number of times on Apple's iOS-based devices.

Shares of Twilio slid nearly seven per cent after the Appthority report. Hackers covet Twilio credentials because they are used in a variety of apps that send text messages, process phone calls and handle other services. Hackers could access related data if they log into a developer's Twilio account, Hardy said.

Appthority, cautious not to tip off potential hackers, did not list all the apps that could be vulnerable. Twilio's website says its users include Uber Technologies and Netflix. However, large companies like those typically have security reviews that catch common coding errors like the one Appthority described.

There was no indication that Uber or Netflix were affected by the problem.

The findings highlight new threats posed by the increasing use of third-party services such as Twilio, which says on its website that it powers communications for more than 40,000 businesses worldwide. Developers can inadvertently introduce security vulnerabilities if they do not properly code or configure such services.

“This isn't just limited to Twilio. It's a common problem across third-party services," Hardy said. "We often notice that if they make a mistake with one service, they will do so with other services as well.”

Appthority said it also warned Amazon.com that it had found credentials for at least 902 developer accounts with cloud-service provider Amazon Web Services in a scan of 20,098 different apps.

Those credentials could be used to access app user data stored on Amazon, Hardy said.

A representative with Amazon declined comment.

One problem with third-party services is that developers often use the same account across multiple apps, similar to how consumers might use one email address for a variety of financial services and can have fraud problems at all of them if hackers compromise that single email account.

Appthority found Twilio credentials exposed in a now-defunct version of the AT&T Navigator mapping and GPS app. The AT&T app was a re-branded version of an app originally built by Telenav.

Appthority found that newer versions of the AT&T app appeared to be safe, but data sent over them could still be at risk if the developer of a related app is still using the same Twilio account. It said the same Twilio credentials were found coded in more than a dozen other Telenav apps.

AT&T and Telenav could not immediately be reached for comment.

The mistakes were caused by developers, not Twilio, Hardy said. Twilio's website warns developers that leaving credentials in apps could expose their accounts to hackers.

Twilio spokesman Trak Lord said the company has no evidence that hackers used credentials coded into apps to access customer data but was working with developers to change credentials on affected accounts.

The Twilio vulnerability only affects calls and texts made inside of apps that use its messaging services, including some business apps for recording phone calls such as Wrappup and RingDNA, according to Appthority's report. Wrappup an RingDNA could not immediately be reached for comment.

In a survey of 1,100 apps, Appthority found 685 problem apps that were linked to 85 affected Twilio accounts. That suggests the theft of credentials for one app's Twilio account could pose a security threat to all users of as many as eight other apps.

Twilio's shares closed down 6.8 per cent at US$25.93. Shares had rallied in pre-market trading after Twilio beat revenue expectations and raised its revenue forecast during an earnings report after the markets closed on Wednesday.

(Reporting by Stephen Nellis; Editing by Jim Finkle, Leslie Adler and David Gregorio)


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags GoogleAppleAndroidioshacksmartphoneAppthorityTwilio

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments