The exposure of sensitive information such as usernames and passwords has had much focus in recent months, with...
users now generally more aware that they should, for example, look for the padlock icon to make sure a website is transmitting information securely.
However, the proliferation of mobile apps storing usernames and passwords has opened a new security risk that end users often don't recognize. In fact, mobile apps provide little or no tangible indication that data is encrypted; perhaps if they did, the problem would be less severe.
Unfortunately, many app developers are adding to the problem by not implementing the proper security. While the cloud has helped many of these developers save money and expedite products, they aren't employing the mobile cloud backup security controls necessary to keep customers safe.
A recent study by the Technical University of Darmstadt and the Fraunhofer Institute for Secure Information Technology in Germany found an example of this issue. Researchers discovered a large number of mobile apps were open to an attack that allows unencrypted user information to be obtained by unauthorized parties due to improper mobile cloud backup service security practices. In investigating 750,000 Android and iOS apps and cloud databases such as Facebook's Parse and Amazon Web Services, researchers found 56 million sets of unprotected user credentials.
The attack takes advantage of a flaw in the way app developers store user databases on cloud backup services (known as backend as a service or BaaS). Many developers choose to use BaaS because it allows them to back up and sync to the cloud quickly and easily with just a few lines of code. While some app developers use cloud backup services to share public data -- which is acceptable as long as the data is read-only, many of them also use BaaS to store data such as clients' usernames, email addresses, passwords, photos and so on.
A key point to stress here is that while cloud providers do offer secure options for storing data, the study shows a large proportion of app developers either don't understand how these cloud provider features work or choose not to use them.
Also note that the problem does not lie with storing customer data. App developers have plenty of legitimate reasons for storing this data; for example, to synchronize data across devices. The problem is that in nearly all the cases in the study, developers took the simplest option for accessing these back-end systems, using only a secret key to provide authentication. However, since this key is embedded within the app itself, anyone with the correct tools to decompile the app -- which are available freely online -- could discover the key and access all the stored data.
That this problem isn't restricted to lesser-known apps; developers of some of the most popular apps available in the Apple App Store and the Google Play Store are guilty of storing user data in this manner.
As end users, there really is unfortunately little that can be done other than controlling what data you allow app developers to store. Beware that anything you save on an app could be vulnerable and accessed by others. Users should always check app permissions before downloading any app, and keep app versions current to avoid problems.
On the enterprise side, controlling what apps users are allowed to install can go some way towards mitigating the problem. This can be controlled by mobile device management software or by providing employees devices that do not have the ability to install more apps. It is also important to educate staff to not use corporate credentials for personal apps, and they should choose a different password for each service they sign up to.
This issue once again highlights how important it is to use different passwords for all websites and apps to ensure you are minimally affected if your credentials are insecurely managed by an app developer.
On the other end of the spectrum, app developers have plenty of options to safely store user data. All the major cloud providers have extensive documentation available on how to use cloud backup services securely. Amazon, for example, made the AWS Cognito service available to make the process as simple as possible. This add-on to Amazon Web Services is specifically designed for securely storing mobile app data, and it supports synchronization across devices.
With these secure options available, why don't mobile cloud backup service providers make it the default?
Unfortunately, it's often not desirable to have secure solutions configured by default, as in many cases, data is purposely accessible publicly, depending on the type of app.
It's important to note, though, that BaaS providers are doing a good job of providing ways to securely store user data; it's ultimately up to app developers to start using them.
About the author:
Rob Shapland is a penetration tester at First Base Technologies, where he specializes in Web application security. He has used his skills to test the websites of companies that range from large corporations to small businesses using a wide variety of Web technologies. He is a firm believer that all penetration testing should have manual techniques at their core, using automated tools to support these skills. He is also involved in network testing and social engineering.
Read up more on why credentials are a weak spot for cloud app security, as well as the best ways to keep cloud credentials secure.