Thousands of Mobile Apps Expose Data via Misconfigured Cloud Containers

Thousands of mobile applications expose user data through insecurely implemented cloud containers, according to a new report from security vendor Zimperium.

The issue, the company notes, is rooted in the fact that many developers tend to overlook the security of cloud containers during the development process.

Cloud services help resolve the issue of storage space on mobile devices, and developers have numerous such solutions to choose from, some of the most popular being Amazon Web Services, Microsoft’s Azure, Google Storage, and Firebase, among others.

“All of these services allow you to easily store data and make it accessible to your apps. But, herein lies the risk, the ease of use of these services also makes it easy for the developer to misconfigure access policies – – potentially allowing anyone to access and in some cases even alter data,” Zimperium notes.  

An analysis of mobile applications that use cloud storage has revealed that roughly 14% rely on unsecure configurations, potentially exposing Personally Identifiable Information (PII), enabling fraud and/or exposing IP or internal systems and configurations.

PII exposed through these misconfigurations includes profile pictures, addresses, financial information, medical details, and more. Risks that developers face when PII leaks include legal risks (the victim might sue the app developers), and brand damage, among others.

Information leaks may also involve the exposure of details related to the app operations and infrastructure. Some of the analyzed apps would leak their entire cloud infrastructure scripts, SSH keys, web server config files, installation files, or passwords.

An attacker could use this information to learn about the computing infrastructure of an organization, and even takeover the ..