App vulnerability discovered that leaves millions of sensitive user records at risk

Duqu 2.0‬ malware buried into Windows PCs using ‘stolen Foxconn certs’
June 16, 2015
LastPass password manager gets hacked
June 19, 2015

A team of security researchers working in Germany has discovered a huge vulnerability in the way that thousands of popular smartphone apps store data online. The vulnerability means that users’ important personal information, such as passwords, addresses and location data, could quite easily be hacked. Thankfully, however, the same researchers suggest that from what they have learned so far, the vulnerability has not yet been exploited.

The team of researchers found that the range of applications which suffer from this large-scale vulnerability come from a broad cross-section, including games, social networks, messaging, medical, and bank transfer apps. Within this broad range of apps, it found that there were around 56 million bits of unprotected data. In fact, Siegfried Rasthofer, who is part of the team from the Fraunhofer Institute for Secure Information Technology, said that the problem is so widespread that,

‘In almost every category we found an app which has this vulnerability in it,’

The problem, which has apparently also been uncovered independently by a Colombian researcher called Jheto Xekri, stems from the design stage of app programming and, in particular, the way in which developers authenticate users with a ‘token’ when storing their personal details in online databases.

A token is a string of letters and numbers embedded in the software’s code and is used to protect users’ sensitive data. Unfortunately, the new research shows that often the way in which app developers are using Backend-as-a-Service (BaaS) in order to store sensitive data is leaving the information extremely vulnerable to hackers, who could easily extract and alter these tokens. This gives them full access to all of the personal details of every user stored on the server for that particular application,

‘All cloud providers extensively document on their webpages how apps must include the BaaS such that secure access to the data is guaranteed. Most developers seem to be missing this crucial piece of information, though, and opt for the simple but insecure usage of the service, probably not even aware that they are putting their user’s data at risk’

For security reasons, the team of researchers refused to name any of the compromised applications but did make it clear that the vulnerability affects a large cross-section of the marketplace. Affected apps number in the tens of thousands, and include some of the most popular apps on both the Apple and Google Play stores.

Luckily, the team of researchers has discovered this vulnerability before it has been used by hackers  (as far as it can tell), and with all four of the platforms that develop apps now warned to look into the problem, hopefully, developers can patch up the vulnerability before any large data theft occurs.

Apple, for one, went on record on Monday to say that in future it would put warnings at the upload stage, telling developers to double-check their security settings for the vulnerability before uploading an app. It was not made clear in its statement, however, how it would be dealing with any apps that already have the problem on the app store.

Meanwhile, a Facebook spokesperson told the team that since being informed about the vulnerability, it has been working in full cooperation with affected apps to try and fix the problem as quickly as possible – although no further information was released about the logistics of how this process was being carried out.

According to Ibrahim Baggili who runs a cybersecurity lab at the University of New Haven, it is not a surprise that affected apps were mainly from the mobile side of the spectrum. This, he suggests, is because those platforms suffer the most from harder-to-implement strong security, though he did also suggest that perhaps one of the problems was that app makers often rush their products to market in order to start making a profit as quickly as possible, instead of taking the time to be certain of users’ security before releasing an app.

Bryce Boland, from internet security company FireEye, agreed that the German researchers’ findings reflect deeper security problems within app culture. He said that FireEye had regularly found developers to be sending users’ sensitive information (such as names and passwords) unencrypted, leaving him unsurprised ‘to find them storing them insecurely as well.’

Team leader Eric Bodden has likened the newly discovered problem to last year’s Heartbleed bug, which left half a million web servers at risk of data theft. He has, however, suggested that the ease with which this latest vulnerability can be exploited makes it even more dangerous,

“Due to legal restrictions and the huge amount of suspicious apps, we could only inspect a small number in detail”, says Prof. Eric Bodden. “However, our findings and the nature of the problem indicate that an enormous amount of app-related information is open to identity theft or even manipulation.”

As to who is at fault,  Domingo Guerra, co-founder of mobile security company Appthority has suggested that although app makers are at fault for not implementing strong security for their apps, he feels that app stores must also shoulder some responsibility. He suggests that they should regularly check apps for holes such as the one that has been discovered, though Bodden does point out that it really is now down to developers to sort out the problem in their apps, commenting that,

‘With Amazon’s and Facebook’s help we also informed the developers of the respective apps and they really are the ones who need to take action because they underestimated the danger.’

Source –