Appthority on Thursday warned that up to 700 apps in the enterprise mobile environment, including more than 170 that were live in official app stores, could be at risk due to the Eavesdropper vulnerability.
Affected Android apps already may have been downloaded up to 180 million times, the firm said, based on its recent research.
The vulnerability has resulted in large-scale data exposure, Appthority said.
Eavesdropper is the result of developers hard-coding credentials into mobile applications that utilize the Twilio Rest API or SDK, according to Appthority. That goes against the best practices that Twiliorecommends in its own documentation and Twilio has already reached out to the development community, including those with affected apps, to work on securing the accounts.
Appthority’s Mobile Threat Team first discovered the vulnerability back in April and notified Twilio about the exposed accounts in July.
The vulnerability reportedly exposes massive amounts of sensitive and even historic data, including call records, minutes of the calls made on mobile devices, and minutes of call audio recordings, as well as the content of SMS and MMS text messages.
Reducing the Risk
The best approach for an enterprise is to identify the Eavesdropper-vulnerable apps in its environment and determine whether the data exposed by the app is sensitive, Appthority suggested.
“Not all conversations involve confidential information, and the nature of the app’s use in the enterprise may not involve data that is sensitive or of concern,” noted Seth Hardy, Appthority director of security research.
“If the messages, audio content or call metadata turn out to be sensitive or proprietary, there may not be much that can be done about exposed conversations resulting from prior use of the app,” he told TechNewsWorld.
“However, a lot can be done to protect future exposures, including either addressing and confirming the fix with the developer or finding an alternate app that has the same or similar functionality without the Eavesdropper vulnerability,” Hardy said. “In all cases, the enterprise should contact developers to have them delete exposed files.”
The Eavesdropper vulnerability is not limited to apps created using the Twilio Rest API or SDK; Appthority pointed out that hard-coding of credentials is a common developer error that can increase security risks in mobile applications.
“The core problem is developer laziness, so what Appthority found isn’t a particular revelation,” said Steve Blum, principal analyst at Tellus Venture Associates.
“It’s just one more example of bad practices leading to bad results, as it’s very tempting for a coder to take shortcuts while developing an app, with the sincere intent of cleaning things up later,” he told TechNewsWorld.
“With apps being developed by a single person or a small team, there are no routine quality control checks,” Blum added. “Right now, it’s up to the stores — Apple and Android, primarily — to do QC work, and I’d bet they’re taking a look at this particular problem and might screen more thoroughly for hard-coded credentials in the future.”
For security and privacy to come first, it may be essential for coding, in general, to go through a paradigm shift, suggested Roger Entner, principal analyst at Recon Analytics.
“Unfortunately, too often, security is seen as a cost center, and privacy is seen as the revenue generator for the company that develops the app,” he told TechNewsWorld.
“Therefore, apps are often not secure — and privacy is nonexistent — to minimize cost and maximize revenue,” Entner explained. “The only way to combat these breaches is to actually pay full price for the apps consumers are using and to reject advertising-supported apps.”
No Easy Fix
One of the most worrisome facts about this vulnerability is that eavesdropper doesn’t rely on a jailbreak or the root of the device. Nor does it take advantage of other known operating system vulnerabilities.
Moreover, the vulnerability is not resolved after the affected app has been removed from a user’s device. Instead, the app’s data remains open to exposure until the credentials are properly updated.
“There isn’t a consumer workaround other than uninstalling all affected apps and hoping that your data hasn’t already been compromised,” warned Paul Teich, principal analyst at Tirias Research.
Some users may purchase phones that are preloaded with apps that could compromise their personal information.
“Twilio could force developers to update their app code by validating or revoking all access credentials to their compromised services APIs,” Teich told TechNewsWorld.
However, “the sudden impact would be that a lot of valued consumer smartphone apps and services would simply stop working all at the same time,” he said.
It appears that users have few options, and it could be difficult for consumers even to have visibility into Eavesdropper-affected apps.
Those who work at a company “can ask their IT security team for a list of apps that are approved, and then delete vulnerable apps and install non-Eavesdropper affected apps instead,” suggested Appthority’s Hardy.
“The big challenge is how to stop the flow of information from this breach while still providing access to valued services,” said Tirias’ Teich.
This situation occurred in no small part because developers were sloppy. However, consumer attitudes likely played a role as well. Many people favor ease of use over mobile device security.
“Consumers are still too casual about their privacy and opt not to pay,” said Recon Analytics’ Entner, “instead having their privacy monetized and compromised through sloppily coded apps.”
Oooo! Scary! Not a single vulnerable app named let alone a list or a link to one. Was there a point here?