Thousands of Android and iOS Apps Leak Data From the Cloud

For years, simple setup errors have been a major source of exposure when companies keep data in the cloud. Instead of carefully restricting who can access the information stored in their cloud infrastructure, organizations too often misconfigure their defenses. It’s the digital equivalent of leaving the windows or doors open at your house before going on a long vacation. That leaky data problem applies to more than just the web services that typically grab headlines. Mobile security firm Zimperium has found that these exposures pose a major problem for iOS and Android apps as well.

Zimperium ran automated analysis on more than 1.3 million Android and iOS apps to detect common cloud misconfigurations that exposed data. The researchers found almost 84,000 Android apps and nearly 47,000 iOS apps using public cloud services—like Amazon Web Services, Google Cloud, or Microsoft Azure—in their backend as opposed to running their own servers. Of those, the researchers found misconfigurations in 14 percent of those totals—11,877 Android apps and 6,608 iOS apps—exposing users’ personal information, passwords, and even medical information.

sources tell me
speaking of
special info
straight from the source
such a good point
super fast reply
take a look at the site here
talking to
talks about it
that guy
the advantage
the full details
the full report
the original source
their explanation
their website
these details
they said
this article
this contact form
this content
this guy
this hyperlink
this link
this page
this post
this site
this website
top article
total stranger
try here
try these guys
try these guys out
try these out
try this
try this out
try this site
try this web-site
try this website
try what he says
try what she says
updated blog post
use this link
view it
view it now
view publisher site
view siteÂ…
view website
visit here
visit homepage
visit our website
visit site
visit the site
visit the website
visit their website
visit these guys
visit this link
visit this page
visit this site
visit this site right here
visit this web-site
visit this website
visit website
visit your url
visite site
watch this video
web link
web site

“It’s a disturbing trend,” says Shridhar Mittal, Zimperium’s CEO. “A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up and, because of that, data is visible to just about anyone. And most of us have some of these apps right now.”

The researchers reached out to a handful of the app makers they found with cloud exposures, but they say the response was minimal and many apps still have exposed data. This is why Zimperium isn’t naming affected apps in their report. Additionally, the researchers can’t notify tens of thousands of developers. Mittal says, though, that the services they looked at run the gamut from apps with a few thousand users to those with a few million. One of the apps in question is a mobile wallet from a Fortune 500 company that’s exposing some user session information and financial data. Another is a transportation app from a large city that’s exposing payment data. The researchers also found medical apps with test results and even users’ profile images out in the open.

Given that Zimperium found nearly 20,000 apps with cloud misconfigurations, the company didn’t attempt to individually assess whether attackers have already discovered and abused any of the exposures. But these open doors and windows would be easy for bad actors to find using the same publicly available information that Zimperium used in its research. Hacking groups already do this type of scanning to find cloud misconfigurations in web services. And Mittal says that, in addition to sensitive user data, the researchers also found network credentials, system configuration files, and server architecture keys in some of the exposed app storage that attackers could potentially use to gain deeper access to an organization’s digital systems.

On top of all of that, the researchers found that some of the misconfigurations would allow bad actors to change or overwrite data, creating additional potential for fraud and disruption.

Related Posts

Leave a Reply

Your email address will not be published.