For years, simple configuration errors have been a major source of exposure when companies keep data in the cloud. Instead of carefully restricting who can access the information stored in their cloud infrastructure, organizations too often misconfigure their defenses. It is the digital equivalent of leaving windows or doors open at home before going on a long vacation. This filtering data problem applies in addition to web services that usually have headlines. Mobile security firm Zimperium has found that these exposures also pose a major problem for iOS and Android apps.
Zimperium performed automated scans on more than 1.3 million Android and iOS apps to detect common misconfigurations that exposed data. Researchers found nearly 84,000 Android apps and nearly 47,000 iOS apps that used public cloud services (such as Amazon Web Services, Google Cloud, or Microsoft Azure) in their background, rather than running their own servers. . Of these, researchers found erroneous settings in 14% of that total (11,877 apps for Android and 6,608 apps for iOS), which exposed users ’personal information, passwords, and even medical information.
“It’s a disturbing trend,” says Shridhar Mittal, CEO of Zimperium. “Many of these apps have cloud storage that the developer or whoever set it up didn’t set up correctly, so the data is visible to anyone. And most of us have some of these apps right now.”
The researchers contacted a handful of app makers who encountered cloud exposures, but say the response was minimal and many apps still have data exposed. That is why Zimperium does not put program names in the affected applications. In addition, researchers cannot notify tens of thousands of developers. Mittal says, however, that the services they examined range from apps with a few thousand users to those with a few million. One of the applications in question is a mobile wallet of a Fortune 500 company that displays information about data sessions and financial data. Another is a large city transportation app that exposes payment data. Researchers also found medical applications with test results and even profile pictures of exposed users.
Since Zimperium found nearly 20,000 apps with erroneous cloud configurations, the company did not attempt to individually assess whether attackers have already discovered and abused any of the exposures. But these open doors and windows would be easy to find for bad actors using the same publicly available information that Zimperium used in their research. Hacking groups are already doing this type of scanning to find erroneous cloud configurations in web services. And Mittal says that in addition to sensitive user data, researchers also found network credentials, system configuration files, and server architecture keys in some of the application storage spaces that attackers could use. to gain deeper access to an organization’s digital systems.
On top of all that, the researchers found that some of the bad settings would allow bad actors to change or overwrite data, creating additional potential for fraud and disruption.
While major cloud vendors like AWS have struggled to proactively detect possible misconfigurations and warn customers of them, ultimately, developers and IT administrators will check to see if things are set up. as intended.
“It’s absolutely logical that misconfiguration can be a widespread problem,” says Will Strafach, a longtime iOS security researcher and creator of the Guardian Firewall app. “I’ve seen AWS bins with poor permissions and I’ve also seen several VPN nodes exposing data. I’ve seen a lot of business applications that should know better that they have horrible security issues.”