Skip to main content

Some Android and iOS apps are leaking data due to misconfigured cloud services

System Hardening Android
(Image credit: Google)

Thousands of Android and iOS apps have been found to be misconfigured and leaking user data after developers failed to implement the correct security settings, a new report has claimed.

As they scanned more than 1.3 million Android and iOS apps that relied on public cloud services, mobile security firm Zimperium found around14% hadn’t implemented the right security controls.

“A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up and, because of that, data is visible to just about anyone. And most of us have some of these apps right now,” Zimperium CEO Shridhar Mittal said in an interview with Wired.

Improper plumbing

Zimperium is one of the mobile security firms that’s been signed up by Google, in the App Defense Alliance initiative, to regularly scan apps on the Google Play store in a bid to boot malicious ones.

According to the interview, Mittal says that the company recently used the same tools to look for accidental exposures, only to discover 11,877 Android apps and 6,608 iOS apps, that were exposing all kinds of personal information about their users.

Zimperium discovered network credentials, system configuration files, and even server architecture keys in some of the exposed data. 

According to Wired, one of the leaky apps is a mobile wallet from a Fortune 500 company that's exposing some details about its user’s sessions as well as their financial data. 

Another is a transportation app from a large city that was found to be leaking payment data. Zimperium also found medical apps exposing their user’s test results along with profile images for everyone to see.

The company says it isn’t naming the apps since it can’t notify all of them. However Mittal hopes that news about their scans and the subsequent discovery of the leaks will encourage developers to examine the security settings of their apps.

But at the same time, he also mentions that given the nature of mobile app development, where many choose to outsource the development to the cheapest bidder, the problem of apps leaking user data isn’t going away anytime soon.

Via: Wired