Thousands of iPhone apps leak user data due to incorrect settings
Over the past 10 years, the popularity of cloud storage services has grown dramatically. You too probably use the same iCloud, Google Disk or Yandex.Disk to avoid taking up space on your computer or iPhone. It’s all the more convenient that many apps allow you to store data in the cloud. But as it turns out, such applications often do not care about the security of their users’ data. Zimperium, a mobile security company, found that tens of thousands of iOS and Android apps use incorrect cloud configurations, so that almost anyone can download user data.
Because of developers’ negligence ordinary users may suffer
Information security experts conducted an automated analysis of more than 1.3 million Android and iOS apps to identify common cloud misconfigurations that allow access to user data. Researchers found about 84,000 Android apps and nearly 47,000 iOS apps that use public cloud services such as Amazon Web Services, Google Cloud or Microsoft Azure rather than their own servers. Of those, researchers found misconfigurations in 14 percent of the total number of apps — that’s 11,877 Android apps and 6,608 iOS apps. These applications disclose users’ personal information, passwords and even health information, writes Wired.
As experts point out, many of these apps have cloud storage that hasn’t been properly set up by the developer or anyone else, and because of this, user data is visible to just about anyone.
Most of us have some of these apps installed right now,” Zimperium said.
New App Store vulnerability
If developers had set up cloud services correctly, there wouldn’t be a problem
Researchers reached out to several app developers where they discovered the cloud vulnerabilities, but they said very few responded, and most apps continue to use open data. Unfortunately, Zimperium doesn’t name the affected apps in its report. In addition, the researchers can’t notify tens of thousands of developers at once.
The services they looked at range from apps with a few thousand users to apps with a few million users.
One such app is a mobile wallet from a Fortune 500 company that provides some information about user sessions and financial data. Another example is a transportation app that stores payment data in the open. Researchers also found open medical apps with test results and even images of user profiles.
The company has not yet been able to assess whether attackers have discovered any of the vulnerabilities the experts found. But it is noted that they will be easy to find, using the same publicly available information that Zimperium used in its research. Hacker groups are already doing this type of scanning to find improper cloud configurations in Web services. On top of that, researchers have found that some incorrect configurations allow attackers to modify or overwrite data.
The major cloud providers, such as Amazon, have already made efforts to detect possible misconfigurations and warn customers about them, but it is still up to developers to fix these vulnerabilities.
It’s clear that cloud service misconfiguration can be a widespread problem,” said Will Strafach, an iOS security researcher and creator of the Guardian Firewall app.
Many services, including major ones, seem to have serious cloud data security issues. It’s a shame we don’t know the specific names of those apps yet, but I think that information will come out soon.