For simple years Configuration errors have been a major source of exposure when companies keep data in the cloud. Rather than carefully restricting who can access information stored on their cloud infrastructure, organizations often misconfigure their defenses. It is the digital equivalent of leaving your windows or doors open in your home before going on an extended vacation. This data leakage problem applies to more than just the web services that normally make headlines. Mobile security company Zimperium has found that these exposures pose a major problem for iOS and Android apps as well.
Zimperium performed automated scans on more than 1.3 million Android and iOS apps to detect common misconfigurations of cloud that exposed data. The researchers found almost 84,000 Android apps and almost 47,000 iOS apps using public cloud services – like Amazon Web Services, Google Cloud or Microsoft Azure – on their backend instead of running their own servers. Of these, the researchers found incorrect settings in 14 percent of the totals – 11,877 Android apps and 6,608 iOS apps – exposing users’ personal information, passwords and even medical information.
“It is a worrying trend,” said Shridhar Mittal, CEO of Zimperium. “Many of these applications have cloud storage that has not been configured correctly by the developer or by those who configured things, so the data is visible to just about anyone. And most of us have some of these apps now. “
The researchers contacted some of the application makers they found with exposures to the cloud, but they say the response was minimal and many applications still have data exposed. That is why Zimperium is not naming the affected applications in its report. In addition, researchers cannot notify tens of thousands of developers. Mittal says, however, that the services they examined range from applications with a few thousand users to those with a few million. One of the applications in question is a mobile wallet from a Fortune 500 company that exposes some user session information and financial data. Another is a transportation app from a major city that is displaying payment data. The researchers also found medical apps with test results and even pictures of users’ profiles outdoors.
Given that Zimperium found almost 20,000 apps with incorrect cloud settings, the company did not attempt to individually assess whether attackers have already discovered and abused any of the exposures. But those open doors and windows would be easy to find using the same publicly available information that Zimperium used in its research. Hacker groups are already doing this type of scanning to find incorrect cloud settings in web services. And Mittal says that in addition to the user’s confidential data, the researchers also found network credentials, system configuration files and server architecture keys in some of the exposed storage applications that attackers could use to gain deeper access to systems digital images of an organization.
In addition, the researchers found that some of the incorrect settings would allow malicious actors to alter or overwrite data, creating additional potential for fraud and disruption.
While major cloud providers, such as AWS, have made an effort to proactively detect potential misconfigurations and warn customers about them, it is ultimately up to developers and IT administrators to make sure things are set up as planned.
“It makes absolutely sense that the wrong configuration could be a widespread problem,” says Will Strafach, a former iOS security researcher and creator of the Guardian Firewall application. “I’ve seen AWS buckets with incorrect permissions and also several VPN nodes exposing data. I’ve seen many apps from companies that should know better that they have terrible security issues. ”