Mobile-app errors expose data on 180 mln phones

Up to 180 million smart phone owners are at risk of having some of their text messages and calls intercepted by hackers because of a simple coding error in at least 685 mobile apps, cyber-security firm Appthority warned on Thursday.

Developers mistakenly coded credentials for accessing services provided by Twilio Inc, said Appthority’s director of security research, Seth Hardy. 

Hackers could access those credentials by reviewing the code in the apps, then gain access to data sent over those services, he said.

The vulnerability only affects calls and texts made inside of apps that use messaging services from Twilio, including some business apps for recording phone calls, according to Appthority’s report. Stock image

THE VULNERABILITY 

The vulnerability only affects calls and texts made inside of apps that use messaging services from Twilio, including some business apps for recording phone calls, according to Appthority’s report.

This includes up to 180 million smartphone owners.

In a survey of 1,100 apps, Appthority found 685 problem apps that were linked to 85 affected Twilio accounts.

That suggests the theft of credentials for one app’s Twilio account could pose a security threat to all users of as many as eight other apps. 

Developers mistakenly coded credentials for accessing services provided by Twilio Inc.

Hackers could access those credentials by reviewing the code in the apps, then gain access to data sent over those services. 

The vulnerability, known as Eavesdropper, could allow hackers to access confidential knowledge of business dealings, for example, Appthority warns.

According to Appthority, the vulnerability has been present since 2011, and requires just three steps to carry out: reconnaissance, exploitation, and exfiltration.

This means an attacker would first search for apps that use Twilio, then use a tool such as VirusTotal or YARA to find apps that identify strings inside apps, and look for the string ‘twilio.’

Once this has been done, a hacker could identify the Twilio credentials, which contain a 34-character Twilio ID and the 32-character token/password.

Then, they could access the account to browse or exfiltrate data.

The attack is relatively ‘easy’ compared to others, Appthority warns.

‘There is no need to perform weaponization or the other steps as the files are undefended,’ Michael Bentley, of Appthority, wrote in the new report.

‘Once the messaging and audio files have been exfiltrated, the attacker can run a simple script to convert audio files to text and search the text for keywords that would lead to proprietary or sensitive data.’ 

The findings highlight new threats posed by the increasing use of third-party services such as Twilio that provide mobile apps with functions like text messaging and audio calls. 

Developers can inadvertently introduce security vulnerabilities if they do not properly code or configure such services.

Up to 180 million smart phone owners are at risk of having some of their text messages and calls intercepted by hackers because of a simple coding error in at least 685 mobile apps, cyber-security firm Appthority warned on Thursday. Stock image

AMAZON AT RISK TOO

Appthority said it also warned Amazon.com Inc that it had found credentials for at least 902 developer accounts with cloud-service provider Amazon Web Services in a scan of 20,098 different apps.

Those credentials could be used to access app user data stored on Amazon.

A representative with Amazon declined comment.

‘This isn’t just limited to Twilio. It’s a common problem across third-party services,’ Hardy said. 

‘We often notice that if they make a mistake with one service, they will do so with other services as well.’

Many apps use Twilio to send text messages, process phone calls and handle other services. 

Hackers could access related data if they log into the developer accounts on Twilio, Hardy said.

The mistakes were caused by developers, not Twilio, Hardy said. 

Twilio’s website warns developers that leaving credentials in apps could expose their accounts to hackers.

Twilio spokesman Trak Lord said the company has no evidence that hackers used credentials coded into apps to access customer data but that it was working with developers to change the credentials on affected accounts.

Appthority said it also warned Amazon.com Inc that it had found credentials for at least 902 developer accounts with cloud-service provider Amazon Web Services in a scan of 20,098 different apps

The vulnerability only affects calls and texts made inside of apps that use messaging services from Twilio, including some business apps for recording phone calls, according to Appthority’s report.

Credentials for back-end services like Twilio are coveted by hackers because developers often reuse their accounts to build multiple apps.

In a survey of 1,100 apps, Appthority found 685 problem apps that were linked to 85 affected Twilio accounts. 

That suggests the theft of credentials for one app’s Twilio account could pose a security threat to all users of as many as eight other apps.

Appthority said it also warned Amazon.com Inc that it had found credentials for at least 902 developer accounts with cloud-service provider Amazon Web Services in a scan of 20,098 different apps.

Those credentials could be used to access app user data stored on Amazon, Hardy said.

A representative with Amazon declined comment. 

Source

http://mailonsunday.co.uk/sciencetech/article-5066359/Mobile-app-errors-expose-data-180-mln-phones-security-firm.html