loud access keys hardcoded inside apps leave users exposed to data theft, and developers vulnerable to server hijacking
Researchers from the Technical University in Darmstadt, Germany, have carried out an extensive study on over 2 million mobile applications built on top of BaaS (Backend-as-a-Service) cloud services.
BaaS services like Facebook Parse, Amazon Web Services (AWS), and Cloudmine are cloud-based companies that allow mobile app developers to build complex server-side backends for their applications using a simplistic API.
Their role is to simplify the know-how needed to develop complex app features, but also to cut down development time and costs for more astute programmers.
Hardcoded cloud access keys, an old problem that has just got bigger
The research presented by the German developers at the Black Hat Europe 2015 security conference in Amsterdam explains a common problem that affected developers in the past but has since been exacerbated due to the proliferation and the over-simplification of cloud services in general.
The problem is the presence of hardcoded authentication credentials for the backend cloud service, right inside the mobile application’s code.
In spite of the fact that some of the apps may be obfuscated, a large number of apps can be easily decompiled.
This exposes both users, who see their personal data exposed, and developers, who risk having their servers hijacked by other groups and may end up paying for cloud transactions and operations they cannot afford.
Thousands of apps affected, millions of data records exposed
According to the German researchers, the problem of hardcoded cloud authentication credentials is a huge one. To assess the number of affected apps and users, the researchers created a special scanning and analysis framework that they used to analyze over 2 million Android and iOS apps.
Using this tool, they managed to discover over 56 million individual data records exposed in thousands of apps, holding sensitive information on millions of users, like passwords, real names, account preferences, health data, phone numbers, pictures, and more.
In one strange case, the researchers even found data about a malware campaign, a mobile trojan that used a BaaS service for its backend.
Google and Apple were notified about the issues
Because this problem plagued so many different applications, the researchers worked with CERT, who then informed Google and Apple (app store owners) about their research’s results.
Both companies notified developers, but after rerunning their tool a few days before their presentation, the German researchers found that only 4 million individual data records were removed, and now, over 52 million data items are still accessible.
The conclusion is that either the developers don’t care enough about user privacy to protect sensitive data, or they do not know how to do it in the first place.
The latter is the most obvious guess since services like Parse and AWS are usually used by novices in the world of app development, who are still developing their skills and need help implementing more complex features.
“They [BaaS providers] abstract away from backend handling and reduce it to a handful of lines of code that every developer can just copy&paste into his app without further knowledge or consideration,” explain the researchers. “Every additional mandatory step would contradict their own business model of abstraction and simplicity.”
The full (In)Security of Backend-as-a-Service report is available on the Black Hat Europe 2015 website.