Many apps use cloud services from companies like Amazon and Facebook to help backup and sync mobile data, but new...
research has found that developers are not doing such a good job of implementing those services securely, leaving millions of credential data sets exposed.
Researchers from the Technical University of Darmstadt and the Fraunhofer Institute for Secure Information Technology in Germany looked at cloud databases like Facebook Parse and Amazon AWS and found 56 million sets of unprotected data from mobile apps.
These backend-as-a-service (BaaS) options allow cloud backups and syncing for developers with just a few lines of code, and according to professor Eric Bodden, leader of the joint research team, mobile developers often ignore cloud providers' security recommendations, which leaves data insecure.
"Some apps use BaaS to share public data, which is ok as long as the data is configured to be read-only," wrote Bodden. "Many apps, however, use BaaS also to store confidential data such as user names, email addresses, contact information, passwords and other secrets, photos and generally any kind of data one can think of."
According to the research, the basic implementation of BaaS uses a simple API-token which can be stolen by attackers and used either to read the data stored in cloud services or even to manipulate the data.
Rob Shapland, senior penetration tester at UK-based First Base Technologies LLC, said these issues are caused either by a lack of awareness by developers or a lack of willingness to put in the work to implement cloud backups securely.
"The cloud providers offer some good tools to help secure user data (such as AWS's Cognito service), but it is down to developers to ensure that these systems are being used," Shapland said. "It is not technically difficult to store user data securely, but there needs to be a willingness from developers to treat security as an important part of the app development lifecycle."
The research team scanned 750,000 apps on both Android and iOS and found that few use an access control scheme that would make these implementations more secure.
"Due to legal restrictions and the huge amount of suspicious apps, we could only inspect a small number in detail," said Bodden. "However, our findings and the nature of the problem indicate that an enormous amount of app-related information is open to identity theft or even manipulation."
Bodden's team has reached out to Amazon and Facebook about the findings and they have in turn begun to contact app developers who need to take action and secure their apps.
Learn more about APIs developers can use to implement BaaS cloud services.
Read a comparison of traditional vs. cloud backups for mobile devices.
Learn about the pros and cons of online cloud backup services.