You open an application to read the news, check your e-mail or social networks and, on many occasions, it asks you for a username (which may be your email address) and a password. You must sign in to access the headlines which have been customized depending on your preferences, your Inbox where you receive your emails (and not those addressed to anyone else) or, to your personal, and supposedly non-transferable, account.
Technically, yes. A team of researchers from the University of Darmstadt (Germany) and the Fraunhofer Institute for Secure Information Technology scanned 750,000 applications for Android and iOS and discovered that the apps developers didn’t take as seriously as they should the security of this important step (login or authentication).
These experts claim that the analyzed apps, including very popular ones – although they didn’t give any names- and they detected vulnerabilities in all kinds of applications, from games to Instant Messaging, through social networks, financial services or even health-related software.
According to the findings of this research team, many programmers are managing the information needed for logging in, in a negligent or improper way, leaving user names, email addresses or passwords available to third parties with dubious intentions. During their analysis, they found 56 million ‘sets’ of unprotected data.
“App developers use cloud databases to store user data but apparently ignore the security recommendation given by the Cloud providers” says Prof. Eric Bodden, study’s lead author, regarding to the cloud databases offered by Facebook (Parse) and Amazon (AWS).
Storing the users data in third-party cloud it is easier for developers (for example, when it comes to synchronizing web services and applications for different operating systems), but it is a decision that should not be taken lightly. Our data’s security is at stake.
Why is there so much unprotected data?
Cloud vendors offer different security mechanisms to determine if a user is who he claims to be when he checks the database: the more sensitive the information, the higher the barriers. Bodden explains that “the weakest form of authentication, meant to identify rather than to protect the data, uses a simple API-token, a number embedded into the App’s code”.
Using the appropriate tools, an attacker could easily remove those tokens and access the data, read it or even manipulate it. There are endless ways of harming or cashing in for someone unscrupulous: from selling emails and passwords on the black market, to blackmailing the data owners, spreading malware or turning the cell phones of hundreds of users into soldiers of a bot army.
To prevent this, app developers should implement more sophisticated security measures, precisely, just what Facebook, Amazon and other cloud vendors recommend. As the research carried out by Darmstadt and Fraunhofer recommended, developers should implement an access-control scheme, which according to the test most of the 750,000 analyzed applications didn’t.
“Our findings and the nature of the problem indicate that an enormous amount of app-related information is open to identity theft or even manipulation” says Prof. Eric Bodden. “With Amazon’s and Facebook’s help we also informed the developers of the respective apps and they really are the ones who need to take action because they underestimated the danger”.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
