App data vulnerability threatens millions of users

May 29, 2015, Technische Universitat Darmstadt
App data vulnerability threatens millions of users
Users should take care what kind of data they trust their apps with. Credit: Fraunhofer SIT

Researchers of the Technische Universität Darmstadt and Fraunhofer SIT have investigated Cloud databases and established: developers wrongly use authentications for cloud services thereby threatening millions of user accounts which become susceptible to attack.

Technische Universität Darmstadt and Fraunhofer SIT have investigated cloud databases like Facebook's Parse and Amazon's AWS and found 56 million sets of unprotected data.

The researchers found email addresses, passwords, health records and other sensitive information of app users, which may be easily stolen and often manipulated. App developers use cloud databases to store user data but apparently ignore the security recommendation given by the Cloud providers. As a result, many are threatened by identity theft and other cybercrimes.

"Therefore users should take care what kind of data they trust their apps with", says Prof. Eric Bodden, the leader of the joint research team. Further information about the vulnerability has been provided by the researchers online.

Different methods of authentication

Many store user information in Cloud databases, for instance to ease synchronization between Android, and iOS apps. Cloud providers offer different authentication methods according to the information's sensitivity.

The weakest form of authentication, meant to identify rather than to protect the data, uses a simple API-token, a number embedded into the App's code. With current tools, however, attackers can easily extract those tokens and not only read the data, but often even manipulate it. Attackers could, for example, sell email addresses on the underground market, blackmail users, deface websites or insert malicious code to spread malware or build botnets.

To properly protect private data, apps must implement an access-control scheme. However, the tests show that the vast majority of apps do not use such access control. Focusing on apps from Google's Play Store and Apple's App Store, the scientists have scanned 750.000 apps using different internally developed analysis frameworks including for example Fraunhofer's Appicaptor. With the help of these expert tools the scientists were able to identify apps using the weak and started an in-depth analysis of selected apps. During the investigation it turned out that many data items contained private information, for example verified email addresses, full user names or information about psychological illnesses.

Developers must take action

"Due to legal restrictions and the huge amount of suspicious apps, we could only inspect a small number in detail", says Prof. Eric Bodden. "However, our findings and the nature of the problem indicate that an enormous amount of app-related is open to or even manipulation.

" When the scientists discovered the problem, they immediately informed the cloud providers and the German Federal Office for Information Security (BSI). "With Amazon's and Facebook's help we also informed the developers of the respective apps and they really are the ones who need to take action because they underestimated the danger", says Bodden.

Explore further: Detecting and blocking leaky Android apps

Related Stories

Detecting and blocking leaky Android apps

May 22, 2015

Nine times out of ten, that Android app is connecting to multiple internet destinations without your knowledge, more than half of them require access to the sensitive, personal information on your mobile device in order to ...

Apple HealthKit app facilitates doctor-patient communication

April 17, 2015

(HealthDay)—The latest version of Apple's operating system iOS 8 allows physicians to connect with patients in many ways using the HealthKit app that collects user health and fitness data, according to an article published ...

Cebit 2015: Find out what your apps are really doing

March 10, 2015

These tiny programs on Internet-connected mobile phones are increasingly becoming entryways for surveillance and fraud. Computer scientists from the center for IT-Security, Privacy and Privacy, CISPA, have developed a program ...

Researchers find thousands of secret keys in Android apps

June 18, 2014

In a paper presented—and awarded the prestigious Ken Sevcik Outstanding Student Paper Award—at the ACM SIGMETRICS conference on June 18, Jason Nieh, professor of computer science at Columbia Engineering, and PhD candidate ...

Developers neglect privacy and security in health apps

March 13, 2015

Telemedicine researchers at the University of Valladolid have proposed a series of recommendations to programmers to improve the security of health applications on mobile devices. According to these specialists, it is a rapidly ...

Recommended for you

Cryptocurrency rivals snap at Bitcoin's heels

January 14, 2018

Bitcoin may be the most famous cryptocurrency but, despite a dizzying rise, it's not the most lucrative one and far from alone in a universe that counts 1,400 rivals, and counting.

Top takeaways from Consumers Electronics Show

January 13, 2018

The 2018 Consumer Electronics Show, which concluded Friday in Las Vegas, drew some 4,000 exhibitors from dozens of countries and more than 170,000 attendees, showcased some of the latest from the technology world.

Finnish firm detects new Intel security flaw

January 12, 2018

A new security flaw has been found in Intel hardware which could enable hackers to access corporate laptops remotely, Finnish cybersecurity specialist F-Secure said on Friday.

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.