Thousands of mobile applications, including popular ones, implement cloud-based, back-end services in a way that lets anyone access millions of sensitive records created by users, according to a recent study.
The analysis was performed by researchers from the Technical University and the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, and the results were presented Friday at the Black Hat Europe security conference in Amsterdam. It targeted applications that use Backend-as-a-Service (BaaS) frameworks from providers like Facebook-owned Parse, CloudMine or Amazon Web Services.
BaaS frameworks offer cloud-based database storage, push notification, user administration and other services that developers can easily use in their apps. Their goal is to minimize the knowledge needed to maintain the back-end servers of an application.
All developers have to do is sign up with a BaaS provider, integrate its software development kit (SDK) in their applications, then use its services through simple application programming interfaces (APIs).
The researchers looked at how developers use APIs and discovered that many of them include their primary BaaS access keys inside their apps. This a very dangerous practice, because applications, especially mobile ones, can be easily reversed engineered to extract such credentials and access their back-end databases.
In order to see how widespread the problem was, the researchers built a tool that uses both static and dynamic analysis to identify which BaaS provider is used by an application and to extract the BaaS access keys from it, even if they’re obfuscated or computed at runtime.
They ran their tool against more than two million Android and iOS apps and extracted 1,000 back-end credentials and associated database table names. Many of those credentials were reused in multiple apps from the same developer and, in total, they provided access to over 18.5 million records containing 56 million data items.
The researchers did not actually download the records, but they were able to count them and figure out their type by simply looking at the database tables. The records included car accident information, user-specific location data, birthdays, contact information, telephone numbers, pictures, valid email addresses, purchase data, private messages, baby growth data and even whole server backups.
The researchers even found a mobile Trojan that used a BaaS service to store data and SMS messages stolen from infected devices, along with the attackers’ own commands and planned tasks.
The inclusion of BaaS credentials in applications not only exposes data records to theft by anyone, but also to manipulation or deletion. Attackers could also use the credentials to store data in those databases at the expense of the real account owners who might not even realize that this is happening.
Sign up for CIO Asia eNewsletters.