As many as 56 million login credentials may be at risk because of cloud services used incorrectly by app developers, according to new research from the University of Darmstadt.
Following a test of 750,000 Android and iOS applications, the research team discovered that data including passwords, email addresses and health records could be accessed by eavesdropping criminals. As noted by Phys.org, many app developers use cloud-based databases to store user data, yet frequently ignore the security recommendation given by providers.
While cloud storage providers offer a range of authentication methods relative to the data’s sensitivity, it appears that many developers opt for the weakest option, designed to identify rather than protect the stored information. A hacker could then easily extract API tokens from the database to read and manipulate data, enabling them to commit a number of different crimes from selling email addresses, to blackmail and botnet building.
In an interview cited by The Register, Professor Bodden of the University of Darmstadt said that this was the case in “virtually all” of the apps investigated by the team.
“All cloud providers extensively document on their webpages how apps must include the BaaS (back-end-as-a-service) such that secure access to the data is guaranteed,” said Bodden. “Most developers seem to be missing this crucial piece of information, though, and opt for the simple but insecure usage of the service, probably not even aware that they are putting their user’s data at risk.”
On making the discovery, researchers immediately informed cloud providers and the German Federal Office for Information Security. Professor Bodden concluded, though, that it’s developers that must take responsibility for their apps as it is they who underestimated the danger.
by Kyle Ellison, ESET