One Developer Error Puts Millions of Android and iOS Users at Risk of Data Exposure
A new data exposure vulnerability has been discovered plaguing nearly 700 apps on both Android and iOS. Dubbed as Eavesdropper, the vulnerability puts over hundreds of millions of users at serious risk of data exposure, security researchers have warned.
Eavesdropper affects both the Android and iOS apps
Security researchers at Appthority released their research last night revealing that the flaw affects over 685 enterprise apps, 44% of which are on Android and 56% are iOS apps. The vulnerable Android apps alone have been downloaded over 180 million times through Play Store. The problem has been discovered in apps built around Twilio service – a cloud communications platform that offers software developers to programmatically make and receive phone calls and send/receive text messages using its web service APIs.
The security flaw was caused by a simple developer error that inadvertently exposed API credentials of hundreds of apps. The problem stems from Twilio-based apps having credentials hard coded in the API. “By hard coding their credentials, the developers have effectively given global access to all metadata stored in their Twilio accounts, including text/SMS messages, call metadata, and voice recordings,” the researchers wrote.
Researchers write that hackers could simply access these credentials by reviewing the code in the apps, then gain access to conversations and SMS messages sent using the service.
The problem was first discovered in April this year and Appthority Mobile Threat Team (MTT) informed Twilio of the problem in July. The company has since been alerting app developers to revoke access for the exposed API keys. Researchers, however, note that “as of the end of August 2017,” 75 of these vulnerable apps were still available on Google Play Store, and 102 on Apple’s App Store, adding that exposure has been present since 2011.
“The exposed data could potentially contain anything from contract negotiations, pricing discussions, or confidential recruiting calls, to proprietary product and technology disclosures, health diagnoses, market data, and M&A planning.”
How the attack works on iOS and Android apps
Appthority notes that an Eavesdropper attack is pretty easy to carry out as it “only requires three steps to execute: reconnaissance, exploitation, and exfiltration.” This is unlike other sophisticated attacks that need to perform weaponization or use phishing tools.
- Reconnaissance: The attacker searches for apps that employ Twilio (some advertise this feature; others can be discovered based on their functionality of offering SMS or calls).
- Exploitation: Look out for Twilio credentials, which consist of a Twilio ID and a token/password.
- Exfiltration: Exfiltrate user data.
Focus on enterprise but normal users affected too
Appthority in its research wrote that a third of all affected apps are enterprise, enabling attackers to gain access to potential financial or government targets. Using this flaw, they could eavesdrop on highly confidential phone calls or text messages.
While Appthority hasn’t shared the list of affected apps in an effort to not tip off potential hackers, Twillio’s website claims its users include Uber and Netflix. It is unlikely that Uber or Netflix would have hardcoded credentials in their apps, but it’s not entirely impossible. In the aftermath of the report, shares of Twilio also slid nearly 7 percent.
“We believe this is likely the largest active enterprise data leak from a mobile app vulnerability discovered to date,” researchers claimed.
– Full report is available here (PDF)