‘Billions’ of records at risk from mobile app data security flaw

Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users’ personal information, including passwords, addresses, door codes and location data, vulnerable to hackers. The team of German researchers found 56 million items of unprotected data in the applications it studied in detail, which included games, social networks, messaging, medical and bank transfer apps. Team leader Eric Bodden said the number of records affected “will likely be in the billions”.

In almost every category we found an app which has this vulnerability in it.

Siegfried Rasthofer, Darmstadt University of Technology

The problem, Bodden said, is in the way developers — those who write and sell the applications — authenticate users when storing their data in online databases. Most such apps use services like Amazon’s Web Services or Facebook’s Parse to store, share or back up users’ data. While such services offer ways for developers to protect the data, most choose the default option, based on a string of letters and numbers embedded in the software’s code, called a token. Attackers, Bodden says, can easily extract and tweak those tokens in the app, which then gives them access to the private data of all users of that app stored on the server. The vulnerable applications, which they declined to name, number in the tens of thousands, and include some of the most popular on the Apple and Google app stores.

The amount of effort to compromise data by exploiting app vulnerabilities is far less than the effort to exploit Heartbleed.

Eric Bodden

Technology Mobile app flaw