Dallas-based security firm Zimperium has revealed that more than 18,000 Android and iOS apps are leaking users' sensitive personal data from improperly secured cloud servers.
The leaked information includes medical test results, online banking and shopping site session tokens, user photos, user names, real names, phone numbers, email addresses, and street addresses. Also leaked were details of server configurations, online payment systems, airport transportation systems, encryption keys, and even blank bank checks.
"Our analysis revealed a number of critical issues that could expose PII (personally identifiable information, or sensitive data), enable fraud, and/or expose IP and internal systems and settings," Zimperium's Chilik Tamir wrote in a report published Thursday (March 4).
In a report published on Thursday (March 4), Zimperium's Chilik Tamir wrote: "The company has identified a number of serious problems that could expose / expose IP or internal systems and settings.
Anyone with a browser and a command-line tool who knew where to look could have accessed the exposed data without having to guess the password. Therefore, according to the report, which Zimperium does not name here, the guilty parties were "a major gaming app," "a social media app," "a Fortune 500 mobile wallet," "a major online retailer," and "a major music service." [Zimperium CEO Shridhar Mittal told Wired's Lily Hay Newman: "We've seen a lot of these apps go down. Most of us have some of these apps now."
Many smartphone apps rely on cloud databases to hold user data: streaming Netflix, checking social media and email, playing multiplayer games, etc. merely front ends to huge online repositories on servers leased from Amazon, Google, and Microsoft.
However, Amazon, Google, and Microsoft do not go around checking to see if each and every client using cloud computing is properly protecting their databases. It is up to the client to do so, but many clients are not doing a proper job. It's like opening a boutique storefront while forgetting to lock the back door into the alley.
"While the process of protecting these cloud containers used in mobile applications is often overlooked by app developers, the impact of misconfigured cloud containers on app developers, their businesses, and users is significant," the Zimperium 15]
Mittal told Wired that Zimperium researchers analyzed 1.3 million smartphone apps and found about 130,000 apps that used leased cloud servers on the back end
and that the company's report found that the apps were "not using leased cloud servers.
Of these apps, about 14% (about 12,000 Android apps and over 6,500 iOS apps) had "insecure configurations and were vulnerable to the risks described in this post," as Zimperium reports.
Mittal told Wired that the company has reached out to app owners and developers to notify them of the flaw, but often receives little or no response.
Unfortunately, without knowing which apps are behaving badly, there are no concrete actions users can take to protect themselves from sensitive data leaks. All you can do is try to limit the amount of information about yourself that you put online, but that's often an impossible battle given how much data apps and websites are siphoning off without your permission.
Comments