'Billions of Records at Risk from Mobile App Data Flaw'

Advertisement
By Reuters | Updated: 17 June 2015 13:29 IST
Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users' personal information, including passwords, addresses, door codes and location data, vulnerable to hackers.

The team of German researchers found 56 million items of unprotected data in the applications it studied in detail, which included games, social networks, messaging, medical and bank transfer apps.

"In almost every category we found an app which has this vulnerability in it," said Siegfried Rasthofer, part of the team from the Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology.

Advertisement

Team leader Eric Bodden said the number of records affected "will likely be in the billions".

Another security researcher working separately, Colombian Jheto Xekri, said he had also found the same flaw.

Advertisement

The problem, Bodden said, is in the way developers - those who write and sell the applications - authenticate users when storing their data in online databases.

Most such apps use services like Amazon's Web Services or Facebook's Parse to store, share or back up users' data.

Advertisement

While such services offer ways for developers to protect the data, most choose the default option, based on a string of letters and numbers embedded in the software's code, called a token.

Attackers, Bodden says, can easily extract and tweak those tokens in the app, which then gives them access to the private data of all users of that app stored on the server.

Advertisement

The researchers said they had no documented evidence that the vulnerability had been exploited.

The vulnerable applications, which they declined to name, number in the tens of thousands, and include some of the most popular on the Apple and Google app stores.

Rasthofer said all four companies had responded to their findings; he said Apple staff had told him on Monday that they would soon incorporate warnings to developers to double check their security settings before uploading apps to its App Store.

Google declined to comment, while Apple and Amazon did not respond to queries.

A Facebook spokesperson said that after researchers notified it of the vulnerability the company had been working with affected developers. She declined to provide details.

App developers responsible
Facebook's Parse lists among its customers some of the world's biggest companies - all of which, Rasthofer said, were potentially affected.

Security researchers say mobile applications are more at risk of failing to secure users' data than those running on desktop or laptop computers. This is partly because implementing stronger security is harder, and partly because developers are in a rush to release their apps, said Ibrahim Baggili, who runs a cyber-security lab at the University of New Haven.

Others pointed to weaknesses in the ways apps transmit data. Bryce Boland, Asia Pacific chief technology offer at internet security company FireEye, said the report reflected deeper problems.

He said FireEye regularly found developers send users' names and passwords unencrypted, "so it's not surprising to find them storing them insecurely as well".

Bodden likened his team's discovery to the Heartbleed bug, a web-based vulnerability reported last year that left half a million web servers susceptible to data theft. Security researchers said this might be worse, since there was little users could do, and exploiting the vulnerability was easy.

"The amount of effort to compromise data by exploiting app vulnerabilities is far less than the effort to exploit Heartbleed," said Toshendra Sharma, founder of Bombay-based mobile security company Wegilant.

Other security researchers say that while responsibility for weak authentication lies with those developing the apps, others in the chain should shoulder some of the blame.

"The truth is that there is plenty of fault to go around," said Domingo Guerra, co-founder of mobile security company Appthority. Cloud providers and app stores, he said, should ensure best practices are implemented correctly and test apps for such holes.

© Thomson Reuters 2015

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Android, Apple, Apps, Microsoft
Advertisement

Related Stories

Popular Mobile Brands
  1. OnePlus Exits US, Europe, Continues Operations in India: 5 Things to Know
  2. OnePlus Phones Will Soon Run on ColorOS 17 Instead of OxygenOS
  3. Samsung Patent Details Galaxy Z Flip-Like Phone With Curved Edge Display
  4. Skullcandy Crusher 1080 ANC Launched With With Bose Audio, Up to 60-Hour Battery
  5. Tecno Camon 50 Ultra 5G With a 6,500mAh Battery Debuts in India: See Price
  6. Apple Foldable iPhone, Anniversary Models Tipped to Get Better Cooling
  7. Infinix Xpad 30 Pro Retail Listing Reveals Specifications, Hints at Imminent Launch
  1. Android 17 QPR1 Beta 7 Update Brings Refinements, Resolves Battery Share Bug in Quick Settings
  2. Nothing Becomes India's Fastest-Growing Brand Amid Smartphone Market Slowdown in Q2 2026: Counterpoint
  3. 1Password Lets Claude AI Access Your Accounts Without Revealing Passwords
  4. Samsung Patent Reportedly Shows Galaxy Z Flip Design With 360-Degree Fold, Curved Outer Display
  5. Apple May Introduce Vapour Chamber Cooling Across Foldable iPhone and Anniversary Models, Tipster Claims
  6. Google AI Mode Now Supports More Connected Apps Including YouTube Music for Everyday Tasks
  7. Tecno Camon 50 Ultra 5G Launched in India With 6,500mAh Battery, 50-Megapixel Cameras: Price, Specifications
  8. EU Regulator Exempts Smartwatches, Other Wearables From User-Replaceable Battery Mandate
  9. The Duskbloods' Closed Network Playtest Will Take Place in August, FromSoftware Confirms
  10. Skullcandy Crusher 1080 ANC Announced With With Bose Audio, Up to 60-Hour Battery: Price, Features
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.