For years, simple configuration errors were a major source of exposure when businesses keep data in the cloud. Instead of carefully restricting who can access information stored in their cloud infrastructure, organizations too often misconfigure their defenses. It’s the digital equivalent of leaving windows or doors open in your home before you go on vacation. This data leak problem applies to more than the web services that typically grab the headlines. Mobile security company Zimperium has found these exposures to be a major problem for iOS and Android apps as well.
Zimperium performed an automated scan on over 1.3 million Android and iOS apps to find common cloud configuration errors that exposed data. Researchers found nearly 84,000 Android apps and nearly 47,000 iOS apps using public cloud services – like Amazon Web Services, Google Cloud, or Microsoft Azure – in their backend instead of running their own servers. Of those, researchers found configuration errors in 14% of those totals – 11,877 Android apps and 6,608 iOS apps – exposing users’ personal information, passwords, and even medical information.
“This is a worrying trend,” says Shridhar Mittal, CEO of Zimperium. “A lot of these apps have cloud storage that hasn’t been configured properly by the developer or whoever configured things and because of that the data is visible to just about everyone. And most of us currently have some of these apps. “
The researchers contacted a handful of app makers they found with cloud exposures, but they say the response has been minimal and many apps still have data exposed. This is why Zimperium does not name the affected applications in its report. Additionally, researchers cannot notify tens of thousands of developers. Mittal says, however, that the services they reviewed span the gamut from applications with a few thousand users to those with a few million. One of the apps in question is a mobile wallet from a Fortune 500 company that exposes certain user session information and financial data. Another is a big city transportation app that exposes payment data. Researchers have also found medical applications with test results and even profile pictures of users in the open.
Since Zimperium found nearly 20,000 applications with misconfigurations in the cloud, the company did not attempt to individually assess whether attackers had already discovered and abused any of the exposures. But those open doors and windows would be easy to find for bad actors using the same publicly available information Zimperium used in their research. Hacking groups are already doing this this type of scanning to find cloud configuration errors in web services. And Mittal says that in addition to sensitive user data, researchers also found network credentials, system configuration files, and server architecture keys in some of the exposed application stores that attackers could potentially. use to gain deeper access to an organization’s digital systems.
On top of all this, the researchers found that some of the configuration errors would allow bad actors to modify or overwrite the data, creating additional potential for fraud and disruption.
Although major cloud providers like AWS have strived to proactively detect possible configuration errors and alerting customers to them, it is ultimately up to developers and IT administrators to verify that things are configured as intended.
“It absolutely makes sense that a misconfiguration could be a widespread problem,” says Will Strafach, longtime iOS security researcher and creator of the Guardian Firewall app. “I’ve seen AWS buckets with the wrong permissions, and I’ve also seen multiple VPN nodes exposing data. I’ve seen a lot of business apps that should know more about it and have terrible security issues. ”