Researchers from the Darmstadt and Fraunhofer University of Technology in Germany have investigated a number of cloud databases in response to their growing popularity among mobile users looking to sync their data across a number of devices.
The team, led by Professor Eric Bodden, specifically examined login processes using services from Amazon, Google and Facebook, with a focus on apps from Google’s Play Store and Apple’s App Store.
In all, the scientists tested some 750,000 apps using a number of internally developed tools as they examined how they use Backend-as-a-Service to store data.
Some apps were found to be sharing public data – which doesn’t generally constitute any kind of security risk – but many of those tested also shared confidential data, such as:
- Email addresses
- Full names
- Location data
- Postal addresses
- Stored photos, audio and video recordings
- Facebook data
- Health records
- Financial transactions
- Detailed device information
- Access to web-based storage plans and devices
Given the scope of crimes that could be perpetrated against someone with the above information – including identity theft and banking fraud – Professor Bodden issued the same type of warning that security researchers have been offering over the last few years, namely that:
Users should take care what kind of data they trust their apps with.
That, the team says, is because developers are not following the security recommendations they have been given:
When app developers include a BaaS into their app with just a few lines code, this typically constitutes an insecure usage of the service. All cloud providers extensively document on their webpages how apps must include the BaaS such that secure access to the data is guaranteed. Most developers seem to be missing this crucial piece of information, though, and opt for the simple but insecure usage of the service, probably not even aware that they are putting their user’s data at risk.
The researchers determined that almost every app they tested gave access to the associated data via an embedded secret key which could easily be extracted by anyone with a deep level of mobile application code knowledge.
Due to the large number of suspicious apps, as well as legal restrictions, the researchers were only able to perform detailed analysis on a relatively small percentage of all the apps in the two marketplaces but, even so, Bodden said they were able to conclude that:
Our findings and the nature of the problem indicate that an enormous amount of app-related information is open to identity theft or even manipulation.
In a demonstration of responsible disclosure, the team shared its findings with the German Federal Office for Information Security (BSI) as well as cloud providers, with Bodden saying:
With Amazon’s and Facebook’s help we also informed the developers of the respective apps and they really are the ones who need to take action because they underestimated the danger.
So what can you do to protect your data from exposure in this manner?
According to the researchers, not much.
They say bad practice is so commonplace that the thousands of vulnerable apps they discovered are likely to be just the tip of the iceberg. There’s also no way for the average person to know whether a given app is using a BaaS insecurely or otherwise.
Therefore, their suggestion is to only rely upon apps that have been validated for security by third parties.