Cloud storage services have exploded in popularity over the past 10 years. You probably also use the same iCloud, Google Drive. Disk so as not to take up space on your computer or iPhone. It is all the more convenient since many applications allow you to store data in the cloud. But, as it turned out, such applications often do not care about their users’ data security. Mobile security company Zimperium has found that tens of thousands of iOS and Android apps are using misconfigurations in the cloud, which can make almost anyone download user data.
Security analysts have automatically analyzed over 1.3 million Android and iOS apps to identify common cloud misconfigurations that expose user data. Researchers found nearly 84,000 Android apps and nearly 47,000 iOS apps that use public cloud services such as Amazon Web Services, Google Cloud or Microsoft Azure rather than their own servers. The researchers identified misconfigurations in 14% of the total number of programs – 11,877 apps for Android and 6,608 apps for iOS. These applications reveal personal information of users, passwords and even medical information, writes Wired.
As experts point out, many of these applications have cloud storage that has not been properly configured by the developer or anyone else. Because of this, user data is visible to almost anyone.
New application vulnerability in the App Store
The researchers reached out to several application developers in which they found cloud vulnerabilities, but they said very few responded, and most applications continue to use open data. Unfortunately, Zimperium does not name the affected applications in its report. Also, researchers cannot notify tens of thousands of developers at once.
One such application is a mobile wallet from a Fortune 500 company that provides information about user sessions and financial data. Another example is a transport application where payment data is stored in cleartext. The researchers also found open medical applications with test results and even pictures of user profiles.
The company has not yet been able to assess whether the attackers found any vulnerabilities found by the experts. But it is noted that they will be easy to find using the same publicly available information that Zimperium used in its research. Hacker groups are already performing this type of scan to find misconfigurations of the cloud in web services. On top of that, the researchers found that some misconfigurations allow attackers to modify or overwrite data.
How do I secure my data?
Major cloud service providers such as Amazon have already made efforts to detect possible misconfigurations and alert customers to them. However, it is still up to the developers to fix these vulnerabilities.
Misconfiguration of cloud services can be a widespread problem, says Will Strafach, iOS security researcher and creator of the Guardian Firewall app.
It seems that many services, including large ones, have serious problems with the security of cloud data. It’s a pity we don’t know such apps’ exact names yet, but I think this information will come up soon.