Appthority on Thursdaywarned that up to 700 apps in the enterprise mobile environment, includingmore than 170 that were live in official app stores, could be at risk to due to the Eavesdropper vulnerability.
Affected Android apps already may have been downloaded up to 180 million times, the firm said, based on its recent research.
The vulnerability has resulted in large-scale data exposure, Appthority said.
Eavesdropper is the result of developers hard-coding credentials into mobile applications that utilize the Twilio Rest API or SDK, according to Appthority. That goes against the best practices that Twiliorecommends in its own documentation, and Twilio already has reached out to the development community, including those with affected apps, to work on securing the accounts.
Appthority’s Mobile Threat Team first discovered the vulnerability back in April and notified Twilio about the exposed accounts in July.
The vulnerability reportedly exposes massive amounts ofsensitive and even historic data, including callrecords, minutes of the calls made on mobile devices, and minutes ofcall audio recordings, as well as the content of SMS and MMS text messages.
Reducing the Risk
The best approach for an enterprise is toidentify the Eavesdropper-vulnerable apps in its environment and determine whether the data exposed by the app is sensitive, Appthority suggested.
“Not all conversations involve confidential information, and the natureof the app’s use in the enterprise may not involve data that issensitive or of concern,” noted Seth Hardy, Appthority director ofsecurity research.
“If the messages, audio content or call metadata turn out to besensitive or proprietary, there may not be much that can be done aboutexposed conversations resulting from prior use of the app,” he toldTechNewsWorld.
“However, a lot can be done to protect future exposures, including either addressing and confirming the fix with the developer, or finding an alternate app that has the same or similar functionality without the Eavesdropper vulnerability,” Hardy said. “In all cases, the enterprise should contact developers to have them delete exposed files.”
The Eavesdropper vulnerability is not limited to apps created using the Twilio Rest API or SDK, Appthority pointed out, ashard-coding of credentials is a common developer errorthat can increase security risks in mobile applications.
“The core problem is developer laziness, so what Appthority foundisn’t a particular revelation,” said Steve Blum, principalanalyst at Tellus Venture Associates.
“It’s just one more example of bad practices leading to bad results,as it’s very tempting for a coder to take shortcuts while developingan app, with the sincere intent of cleaning things up later,” he told TechNewsWorld.
“With apps being developed by a single person or a small team, thereare no routine quality control checks,” Blum added. “Right now, it’sup to the stores — Apple and Android, primarily — to do QC work, andI’d bet they’re taking a look at this particular problem and mightscreen more thoroughly for hard-coded credentials in the future.”
For security and privacy to come first, it may be essential for coding in general to go through a paradigm shift, suggestedRoger Entner, principal analyst at Recon Analytics.
“Unfortunately, too often security is seen as a cost center, andprivacy is seen as the revenue generator for the company that developsthe app,” he told TechNewsWorld.
“Therefore, apps are often notsecure — and privacy is nonexistent — to minimize cost and maximizerevenue,” Entner explained. “The only way to combat these breaches is to actually pay full price for the apps consumers are using and to reject advertising-supported apps.”
No Easy Fix
One of the most worrisome facts about this vulnerability is thatEavesdropper doesn’t rely on a jailbreak or root of the device. Nordoes it take advantage of other known operating system vulnerabilities.
Moreover, the vulnerability is not resolved after the affected app has beenremoved from a user’s device. Instead, the app’s data remains opento exposure until the credentials are properly updated.
“There isn’t a consumer workaround other than uninstalling allaffected apps and hoping that your data hasn’t already beencompromised,” warned Paul Teich, principal analyst at Tirias Research.
Some users may purchase phones that are preloaded with apps thatcould compromise their personal information.
“Twilio could force developers to update their app code byinvalidating or revoking all access credentials to their compromisedservices APIs,” Teich told TechNewsWorld.
However, “the sudden impact would be that a lot of valued consumersmartphone apps and services would simply stop working all at the sametime,” he said.
It appears that users have few options, and it could be difficult forconsumers even to have visibility into Eavesdropper-affected apps.
Those who work at a company “can ask their IT security teamfor a list of apps that are approved, and then delete vulnerable appsand install non-Eavesdropper affected apps instead,” suggestedAppthority’s Hardy.
“The big challenge is how to stop the flow of information from thisbreach while still providing access to valued services,” said Tirias’ Teich.
This situation occurred in no small part becausedevelopers were sloppy. However, consumer attitudes likely played a role as well. Many people favor ease of use over mobile device security.
“Consumers are still too casual about their privacy and opt not to pay,” said Recon Analytics’ Entner, “instead having their privacy monetized and compromised through sloppily coded apps.”