Data of millions of app users at risk owing to coding flaws

By  | 

Security experts have revealed that data of millions of app users is vulnerable and could be easily stolen owing to coding flaws that leave data of users unprotected.

Experts at Technische Universität Darmstadt and Fraunhofer SIT, based on their analysis of cloud databases like Facebook’s Parse and Amazon’s AWS, have found 56 million sets of unprotected data including email addresses, passwords, health records and other sensitive information of app users, which may be easily stolen and often manipulated.

Cloud databases are one of the most common tools used by app developers for storage of user data, but according to experts they are ignoring security recommendations provided by the cloud providers. This negligence may put user data at risk of being stolen and owners of that data to identity theft and other cybercrimes.

“Therefore users should take care what kind of data they trust their apps with”, says Prof. Eric Bodden, the leader of the joint research team.

The analysis revealed that many app developers are resorting to the weakest form of authentication – a simple API-token which is a number embedded into the App’s code. Experts warn that attackers can easily extract those tokens and not only read the data, but often even manipulate it. Attackers could, for example, sell email addresses on the underground market, blackmail users, deface websites or insert malicious code to spread malware or build botnets.

To properly protect private data, apps must implement an access-control scheme. However, the tests show that the vast majority of apps do not use such access control. Focusing on apps from Google’s Play Store and Apple’s App Store, the scientists have scanned 750.000 apps using different internally developed analysis frameworks including for example Fraunhofer’s Appicaptor. With the help of these expert tools the scientists were able to identify apps using the weak authentication and started an in-depth analysis of selected apps. During the investigation it turned out that many data items contained private information, for example verified email addresses, full user names or information about psychological illnesses.

“Due to legal restrictions and the huge amount of suspicious apps, we could only inspect a small number in detail”, says Prof. Eric Bodden. “However, our findings and the nature of the problem indicate that an enormous amount of app-related information is open to identity theft or even manipulation.” When the scientists discovered the problem, they immediately informed the cloud providers and the German Federal Office for Information Security (BSI). “With Amazon’s and Facebook’s help we also informed the developers of the respective apps and they really are the ones who need to take action because they underestimated the danger”, says Bodden.

You can find further information about the vulnerability online at www.sit.fraunhofer.de/appdatathreat.