A team of German researchers from the Fraunhofer Institute for Secure Information Technology and the Darmstadt University of Technology have determined that over 56 million items of data are unprotected with applications that were studied under a scanner. These apps include social networks, bank transfer apps, messaging, medical and even games.
Siegfried Rasthofer, part of the team of researchers said, “In almost every category we found an app which has this vulnerability in it.”
The leader of the German team, Eric Bodden, added that the potential number of affected records “will likely be in the billions”.
These findings weren’t restricted to the German team alone. A Colombian researcher Jheto Xekri, working separately, added that he found the same inherent flaw.
The flaw
Bodden added that the vulnerability arises due to the way users of applications are authenticated when storing their data (encrypted or otherwise) in online databases by the developers who write and sell their applications. The flaw exists because:
- A significant portion of popular applications share or back up users’ data, with services such as Amazon’s Web Services and Facebook’s Parse used by several applications.
- Despite these services offering advanced options for developers to protect data, many end up choosing the default option called a token. A token is a string of letters and numbers that’s embedded within the software’s code.
- Attackers and cyber criminals can easily tweak and manipulate these tokens within the app to extract and hack the tokens, giving them access to private data of all users of the application stored on the web services server.
The team added that companies such as Amazon, Google, Apple and Facebook had responded to their research and findings.
Apple notified the team of researchers that they would include warnings to developers, reminding them to double-check their security parameters and settings before uploading applications onto the company’s App Store. Google has so far declined to comment. A Facebook spokesperson meanwhile said that the company has been working with affected developers after being notified of the vulnerability and security risk.
The buck stops with the developers
Mobile applications have a higher risk of failing to secure user data than applications and web services running on computers, according to Ibrahim Baggili who heads a cybersecurity lab at the University of New Haven. This is due to two reasons:
- Implementing stronger security on mobile applications is harder.
- App developers are in a frenzied rush to release their apps, thereby not taking the time to ensure security measures are held up.
Meanwhile, other security researchers have pointed to others in the chain besides developers who are responsible for weak authentication in their applications.
“The truth is that there is plenty of fault to go around,” concluded Domingo Guerra, co-founder of mobile security company Appthority.