Thousands of Mobile Apps Expose Data via Misconfigured Cloud Containers


Thousands of mechanical applications expose user data through insecurely implemented cloud containers, harmonizing to a new report from security vendor Zimperium.

The issue, the company notes, is ingrained in the fact that many developers tend to overlook the security of cloud containers during the expansion process.

Cloud services help resolve the issue of storage intermission on mobile devices, and developers have numerous such solutions to decide from, some of the most popular being Amazon Web Services, Microsoft’s Azure, Google Storage, and Firebase, bulk others.

“All of these services allow you to easily store data and put to rights it accessible to your apps. But, herein lies the risk, the ease of use of these services also skedaddles it easy for the developer to misconfigure access policies – – potentially tolerating anyone to access and in some cases even alter data,” Zimperium notes.  

An critique of mobile applications that use cloud storage has revealed that mercilessly 14% rely on unsecure configurations, potentially exposing Personally Identifiable Poop (PII), enabling fraud and/or exposing IP or internal systems and configurations.

PII exposed through these misconfigurations includes profile pictures, addresses, financial info, medical details, and more. Risks that developers face when PII oozes include legal risks (the victim might sue the app developers), and brand check compensation, among others.

Information leaks may also involve the exposure of tabulates related to the app operations and infrastructure. Some of the analyzed apps would seep their entire cloud infrastructure scripts, SSH keys, web server config arranges, installation files, or passwords.

An attacker could use this information to learn alongside the computing infrastructure of an organization, and even takeover the backend infrastructure and still other parts of the organization’s network.

Types of iOS and Android apps that were originate to expose PII include medical apps, social media apps, chief game apps, and fitness apps. Apps that enable ruse through data leaks include a Fortune 500 mobile notecase, a major city transportation app, a major online retailer, and a gambling app.

In the midst the apps that expose IP and systems, Zimperium found a major music app, a primary new service, the apps of a Fortune 500 software company, a major airport, and a principal hardware developer, as well as an Asian government travel app.

Zimperium also organize apps that used both Google and Amazon cloud storage without any make of security, as well as apps that expose data users dole out among them, or which exposed images containing payment detachments, along with various information related to making online footholds.

To avoid risks, developers should always ensure that extraneous access to the cloud storage/database is secured. Next they could use a rite to assess the secure software development lifecycle and address any identified issuances.

Related: Mobile Health Apps Found to Expose Million of Not for publications

Related: ‘Find My Mobile’ Vulnerabilities Exposed Samsung Galaxy Phones to Strikes

Related: Long-Patched Vulnerabilities Still Present in Many Popular Android Apps

[embedded glad]

Thousands of Mobile Apps Expose Data via Misconfigured Cloud Containers

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Thousands of Mobile Apps Expose Data via Misconfigured Cloud ContainersLabels:

Leave a Reply

Your email address will not be published. Required fields are marked *