Cloud storage services have exploded in popularity over the past 10 years. You probably also use the same iCloud or Google Drive to not take up space on your computer or iPhone. It is all the more convenient since many applications allow you to store data in the cloud. But, as it turned out, such applications often do not care about their users’ data security. Mobile security company Zimperium discovered that tens of thousands of iOS and Android apps are using misconfigurations in the cloud, resulting in user data that almost anyone can download.
Ordinary users may suffer due to developers’ careless attitude.
Security analysts have automatically analyzed over 1.3 million Android and iOS apps to identify common cloud misconfigurations that expose user data. Researchers found about 84,000 Android apps and almost 47,000 iOS apps that use public cloud services such as Amazon Web Services, Google Cloud, or Microsoft Azure rather than their own servers. The researchers identified misconfigurations in 14% of the total number of programs – 11,877 applications for Android and 6,608 applications for iOS. These applications reveal personal information of users, passwords, and even medical information, writes Wired.
As experts point out, many of these applications have cloud storage that has not been properly configured by the developer or anyone else. Because of this, user data is visible to almost anyone.
Most of us have some of these apps installed right now, Zimperium said.
New App Store Vulnerability
If the developers had configured the cloud services correctly, there would have been no problems.
The researchers reached out to several application developers in which they found cloud vulnerabilities, but they said very few responded, and most applications continue to use open data. Unfortunately, Zimperium does not name the affected applications in its report. Also, researchers cannot notify tens of thousands of developers at once.
One such application is a mobile wallet from a Fortune 500 company that provides information about user sessions and financial data. Another example is a transport application where payment data is stored in cleartext. The researchers also found open medical applications with test results and even pictures of user profiles.
The company has not yet been able to assess whether the cybercriminals have discovered any of the experts’ vulnerabilities. But it is noted that they will be easy to find using the same publicly available information that Zimperium used in its research. Hacker groups are already performing this type of scan to find misconfigurations of the cloud in web services. On top of that, the researchers found that some misconfigurations allow attackers to modify or overwrite data…
How do I secure my data?
Major cloud service providers such as Amazon have already made efforts to detect possible misconfigurations and alert customers to them. However, it is still up to the developers to fix these vulnerabilities.
It’s clear that misconfiguration of cloud services can be a widespread problem, says Will Strafach, iOS security researcher and app creator. Guardian firewall.
It seems that many services, including large ones, have serious problems with the security of cloud data. It’s a pity, we don’t know the exact names of such apps yet, but I think this information will come up soon.