Security firm finds ‘thousands’ of mobile apps leaking personal information due to unsecured cloud configurations
According to Zimperium's analysis, 14 percent of apps using cloud storage had unsecure configurations and were vulnerable.
Security firm Zimperium has released a report that states there are unsecured cloud configurations currently exposing millions of peoples information in thousands of mobile apps on both iOS and Android, according to a report.
Developing apps for Android and iOS involves not only working on the user facing side of the interface but also the parts that interact with the web and the servers that host the content powering those apps. Apps also talk to cloud-based databases (such as Google’s Firebase) which means that developers don’t have to worry about complex APIs for things like notifications.
“However, the process of securing these cloud containers used by mobile applications tends to be overlooked by app developers while the impact of a misconfigured cloud container on the app developer, their business and their users can be extremely high,” the company stated in a blog post.
The company’s zLabs Team found that 14 percent of the mobile apps studied that use cloud storage had set up insecure configurations and as a result exposed personally identifiable information or PII, enabled fraud and exposed intellectual property or systems and configurations.
Among the apps exposing PII were medical apps that revealed personal medical information including test results, and social media apps that exposed photos, phone numbers. Meanwhile, major game apps were found to expose server configuration, while fitness apps revealed the developer’s server app, allowing potential reverse engineering or manipulation of the apps, the company said in its blog post.
On the other hand the zLabs team also found a fortune 500 mobile wallet, a major city transportation app, a major online retailer, and a gambilng app all enabling fraud. Meanwhile, a major music app, a major news service a fortune 500 software company, major airport, major hardware developer and an asian government travel app could be putting intellectual property at risk. The company has not yet named the apps in the report as many of the security vulnerabilities still exist, according to a report by Wired.