The 1000 most popular Android apps have serious vulnerabilities in the cloud

The implementation of cloud-based architecture has been promoted as a much more secure alternative than traditional networks, mentioning experts in vulnerability testing. However, this security does not appear to extend to mobile applications that depend on the simultaneous use of many different cloud servers.

Researchers at a university in the U.S. analyzed the 5,000 most popular Android apps on the Google Play Store, discovering that at least 1000 of these products are vulnerable because of the way they connect to backend services in the cloud. Researchers even developed a tool for developers to check if their products are vulnerable to such errors.

Most mobile apps rely on using cloud services to download or send content, perform sensing and tracking user activity, or not saturating device memory. “Unfortunately, a mobile app developer who wants to audit the backends that his app uses quickly will find this more difficult than it seems,” vulnerability testing specialists mention.

Cloud backend services for mobile app development are not at all reliable, as experts found that compromised apps use at least 6,800 server networks worldwide, and some of these apps communicate with more than one cloud network, possibly on more than one continent.

“Knowing that our apps communicate with dozens, or even hundreds of servers may sound surprising,” said one of the research’s expert experts. “This is a security weakness that no one had noticed to this date,” the experts added. 

About 980 of the security vulnerabilities found in this investigation had previously been reported, however, experts reported the finding of at least 655 zero-day vulnerabilities.

An example of this undesirable scenario is the hacking that occurred against the mobile version of the video game Fortnite. On that occasion, content progressively downloaded from backends allowed hackers to install additional apps without users’ consent, all in the background while the victim waited for the download of the popular video game. Other similar incidents have led to the mass leak of sensitive information from smartphone users.

According to the vulnerability testing experts of the International Institute of Cyber Security (IICS), SkyWalker, the security tool developed by this team of experts, will allow companies to audit cloud-based security to find the most vulnerable points and limit cybersecurity risks to end users.