Simple for years Installation errors are a major source of exposure when companies store data in the cloud. Rather than carefully restricting who can access the information stored in their cloud infrastructure, organizations too often misconfigure their defenses. It’s the digital equivalent of leaving your home windows or doors open before you go on vacation. That leaking data problem applies to more than just the web services that typically make headlines. Mobile security company Zimperium has discovered that these exposures are also a major problem for iOS and Android apps.
Zimperium performed automated analysis on more than 1.3 million Android and iOS apps to detect common cloud configurations that exposed data. The researchers found nearly 84,000 Android apps and nearly 47,000 iOS apps using public cloud services – such as Amazon Web Services, Google Cloud, or Microsoft Azure – in their backend, rather than running their own servers. Of those, the researchers found misconfigurations in 14 percent of those totals – 11,877 Android apps and 6,608 iOS apps – revealing users’ personal information, passwords, and even medical information.
“It’s a troubling trend,” said Shridhar Mittal, CEO of Zimperium. “Many of these apps have cloud storage that is not properly configured by the developer or whoever set up the business, so data is visible to almost everyone. And most of us currently have some of these apps. “
The researchers contacted a handful of the app makers they found with cloud exposure, but they said the response was minimal and many apps still contain data. This is why Zimperium does not list the affected apps in their report. In addition, the researchers are unable to notify tens of thousands of developers. However, Mittal says the services they viewed range from apps with a few thousand users to apps with a few million. One of the apps in question is a mobile wallet from a Fortune 500 company that discloses user session information and financial data. Another is a big city transportation app that exposes payment details. The researchers also found medical apps with test results and even profile images of users out in the open.
Given that Zimperium found nearly 20,000 apps with incorrect cloud configurations, the company did not attempt to individually assess whether attackers have already discovered and exploited any of the exposures. But these open doors and windows would be easy to find for bad actors with the same publicly available information that Zimperium used in his research. Hacking groups are already doing these kinds of scans to find cloud misconfigurations in web services. And Mittal says that in addition to sensitive user data, the researchers found network credentials, system configuration files, and server architecture keys in some of the exposed app storage that attackers could potentially use to gain deeper access to an organization’s digital systems.
In addition, the researchers found that some of the misconfigurations would allow bad actors to modify or overwrite data, creating additional potential for fraud and disruption.
While major cloud providers such as AWS have made efforts to proactively detect possible misconfigurations and warn customers about them, what ultimately comes down to developers and IT administrators checking that everything is set up as intended.
“It makes perfect sense that misconfigurations can be a widespread problem,” said Will Strafach, a longtime iOS security researcher and creator of the Guardian Firewall app. “I’ve seen AWS buckets with bad permissions, and I’ve also seen multiple VPN nodes exposing data. I’ve seen many apps from companies that should know better and have terrible security vulnerabilities.”