Millions Of Records Exposed By Poorly Written Apps

App developers, like all software developers, like to integrate existing code to reduce their workload and their time to market.

Unfortunately, that does not mean that developers will follow the best practices in using that existing code.

According to a presentation at Black Hat Europe this week, developers who use BaaS or Backends as a Service, sometimes hard code the credentials to access those services – such as Amazon Web Services or Parse (Facebook) – into their code.

Reverse engineering mobile code to find those credentials, even if they are obfuscated, is that not hard.

As a test, the researchers looked at two million apps and extracted backend server credentials from 1,000 of them.

Even though statistically that is only 0.05% of the apps, that does not mean it is 0.05% of data.  The 2 millionth and first app could disclose more data than the first two million apps collectively did,

The researchers, using these credentials, were able to look at 18 million records and 53 million data elements.

What is even worse is that is the fact that the researchers talked to Amazon and other services months ago and the data elements are still accessible.

The message here is not that using cloud services is a bad idea but rather that HOW you use cloud services is important.  As always, security must be designed in, not added on.

According to these researchers, doing it right is much harder than doing it fast in this case, so some developers choose to take the shortcut.

And, unfortunately, it is completely invisible to you and me.

For those that manage developers or that are doing cyber due diligence, this is a heads up to ask some possibly uncomfortable questions.

For those of us that just want to download an app and use it, it should give us a little pause to consider WHAT we are giving to those apps and what due diligence we or someone else did on the apps.

Just food for thought.


Information for this post came from Computerworld.

Leave a Reply

Your email address will not be published.