Despite Apple’s efforts to keep iOS secure, it’s difficult to have control over how third-party apps store user data. A new research from mobile security firm Zimperium has found that thousands of iOS and Android apps are exposing users’ personal information due to misconfigured cloud services.
As reported by Wired, Zimperium analyzed more than 1.3 million iOS and Android apps to identify cloud misconfigurations that lead to user data exposure. Of all the apps analyzed, 47,000 iOS apps and 84,000 Android apps have been using public cloud services such as Amazon Web Services, Google Cloud, or Microsoft Azure in their backend instead of having their own servers.
The research found that at least 14% of these apps using public cloud services have been exposing users’ personal information, which includes passwords and health data, due to misconfigurations that allow hackers to access and even overwrite such data.
Zimperium CEO Shridhar Mittal explains that many of these developers haven’t properly configured the cloud service they’re using to avoid breaches like this.
Hacking groups already do this type of scanning to find cloud misconfigurations in web services. And Mittal says that, in addition to sensitive user data, the researchers also found network credentials, system configuration files, and server architecture keys in some of the exposed app storage that attackers could potentially use to gain deeper access to an organization’s digital systems.
Although cloud service providers such as Amazon Web Services have tools to detect possible misconfigurations, the main responsibility to avoid this kind of situation comes from the developers. Unfortunately, most users have no idea that their data can be exposed on the web by apps that they trust.
Zimperium reached out to the developers of some of the analyzed apps, but most of them didn’t respond to a request to fix the breach in their apps. The researchers say that not only apps from small developers have been affected by misconfigurations of cloud services, but also apps from major companies.
One of the apps in question is a mobile wallet from a Fortune 500 company that’s exposing some user session information and financial data. Another is a transportation app from a large city that’s exposing payment data. The researchers also found medical apps with test results and even users’ profile images out in the open.
The researchers hope that today’s report will make more developers aware of how to properly configure cloud services in apps. You can read the full story on the Wired website.