Thousands of Apps Are Leaking Data Thanks to Misconfigured Cloud Servers

Thousands of Apps Are Leaking Data Thanks to Misconfigured Cloud Servers
Getty Images

Hearing that an app might be leaking your data is never a good thing. New research shows that’s exactly what’s happening with thousands of Android and iOS apps.

Security firm Zimperium has found that misconfigured defences in cloud data storage are causing problems for many iOS and Android apps, according to a report by Wired.

Misconfigured cloud servers are leaking data

Zimperium apparently ran an automated analysis of over 1.3 million iOS and Android apps. This revealed that almost 84,000 Android apps and 47,000 iOS apps make use of public cloud services. This includes services in the backend such as Amazon Web Services, Google Cloud and Microsoft Azure.

Researchers then found that of these numbers, 11,877 Android apps and 6,608 iOS apps were flagged for misconfiguring their cloud servers.

This means these apps have exposed users’ personal information, passwords and potentially even health data. Wired says its the equivalent of leaving your door open when you leave the house. Yikes.

Zimperium didn’t name specific apps, however, did point to some of them being big players. One is a mobile wallet app from a Fortune 500 company that has exposed users’ session information and financial data. Others are said to be medical apps where users’ test results and profile images could be found.

“It’s a disturbing trend. A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up and, because of that, data is visible to just about anyone. And most of us have some of these apps right now,” Shridhar Mittal, Zimperium’s CEO, told Wired.

The company said that responses from app developers it reached out to about this issue have been minimal so far.

User data is at risk

Naturally, all this exposed data is an easy target for hackers. Hacking groups are already capable of doing similar scanning reports to that of Zimperium and can identify when there’s been a misconfiguration in the cloud.

This means that much of this exposed data may already have been captured by bad actors. And if it hasn’t, it can easily be found.

In addition to this, researchers found that some of the misconfigurations allow hackers to change or overwrite data. This could result in potential fraud and disruption of those apps.

Information such as network credentials and server architecture keys were also exposed. Hackers could then use this data to further infiltrate an organisation.

The responsibility for this issue lies with app developers, not the cloud services themselves. Cloud providers make efforts to detect these possible misconfigurations and warn customers. But it still comes to down individual developers and administrators to reconfigure these security breaches and confirm that the set up is secure.

Mittal said that he hopes to raise awareness about mobile cloud misconfigurations such as this which will motivate developers to secure their infrastructure.