Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users’ personal information, including passwords, addresses, door codes and location data, vulnerable to hackers.
The team of German researchers found 56 million items of unprotected data in the applications it studied in detail, which included games, social networks, messaging, medical and bank transfer apps.
“In almost every category we found an app which has this vulnerability in it,” said Siegfried Rasthofer, part of the team from the Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology.
Team leader Eric Bodden said the number of records affected “will likely be in the billions.”
Another security researcher working separately, Colombian Jheto Xekri, said he had also found the same flaw.
The problem, Bodden said, is in the way developers authenticate users when storing their data in online databases.
Most such apps use services like Amazon’s Web Services or Facebook’s Parse to store, share or back up users’ data.
While such services offer ways for developers to protect the data, most choose the default option, based on a string of letters and numbers embedded in the software’s code, called a token.
Attackers can easily extract and tweak those tokens in the app, which then gives them access to the private data of all users of that app stored on the server, Bodden said.
The researchers said they had no documented evidence that the vulnerability had been exploited.
The vulnerable applications, which they declined to name, number in the tens of thousands, and include some of the most popular on the Apple and Google app stores.
Rasthofer said all four companies had responded to their findings; he said Apple staff on Monday had told him that they would soon incorporate warnings to developers to double check their security settings before uploading apps to its App Store.
Google declined to comment, while Apple and Amazon did not respond to queries.
A Facebook spokesperson said that after researchers notified it of the vulnerability the company had been working with affected developers. She declined to provide details.
Facebook’s Parse lists among its customers some of the world’s biggest companies — all of which, Rasthofer said, were potentially affected.
Security researchers say mobile applications are more at risk of failing to secure users’ data than those running on desktop or laptop computers. This is partly because implementing stronger security is harder, and partly because developers are in a rush to release their apps, said Ibrahim Baggili, who runs a cybersecurity lab at the University of New Haven.
Others pointed to weaknesses in the ways apps transmit data.
Bryce Boland, Asia Pacific chief technology offer at Internet security company FireEye, said the report reflected deeper problems.
He said FireEye regularly found developers send users’ names and passwords unencrypted, “so it’s not surprising to find them storing them insecurely as well.”
Bodden likened his team’s discovery to the Heartbleed bug, a Web-based vulnerability reported last year that left half a million Web servers susceptible to data theft. Security researchers said this might be worse, since there was little users could do, and exploiting the vulnerability was easy.
“The amount of effort to compromise data by exploiting app vulnerabilities is far less than the effort to exploit Heartbleed,” said Toshendra Sharma, founder of Bombay-based mobile security company Wegilant.
Other security researchers say that while responsibility for weak authentication lies with those developing the apps, others in the chain should shoulder some of the blame.
“The truth is that there is plenty of fault to go around,” said Domingo Guerra, cofounder of mobile security company Appthority.
Cloud providers and app stores, he said, should ensure best practices are implemented correctly and test apps for such holes.
China has claimed a breakthrough in developing homegrown chipmaking equipment, an important step in overcoming US sanctions designed to thwart Beijing’s semiconductor goals. State-linked organizations are advised to use a new laser-based immersion lithography machine with a resolution of 65 nanometers or better, the Chinese Ministry of Industry and Information Technology (MIIT) said in an announcement this month. Although the note does not specify the supplier, the spec marks a significant step up from the previous most advanced indigenous equipment — developed by Shanghai Micro Electronics Equipment Group Co (SMEE, 上海微電子) — which stood at about 90 nanometers. MIIT’s claimed advances last
ISSUES: Gogoro has been struggling with ballooning losses and was recently embroiled in alleged subsidy fraud, using Chinese-made components instead of locally made parts Gogoro Inc (睿能創意), the nation’s biggest electric scooter maker, yesterday said that its chairman and CEO Horace Luke (陸學森) has resigned amid chronic losses and probes into the company’s alleged involvement in subsidy fraud. The board of directors nominated Reuntex Group (潤泰集團) general counsel Tamon Tseng (曾夢達) as the company’s new chairman, Gogoro said in a statement. Ruentex is Gogoro’s biggest stakeholder. Gogoro Taiwan general manager Henry Chiang (姜家煒) is to serve as acting CEO during the interim period, the statement said. Luke’s departure came as a bombshell yesterday. As a company founder, he has played a key role in pushing for the
EUROPE ON HOLD: Among a flurry of announcements, Intel said it would postpone new factories in Germany and Poland, but remains committed to its US expansion Intel Corp chief executive officer Pat Gelsinger has landed Amazon.com Inc’s Amazon Web Services (AWS) as a customer for the company’s manufacturing business, potentially bringing work to new plants under construction in the US and boosting his efforts to turn around the embattled chipmaker. Intel and AWS are to coinvest in a custom semiconductor for artificial intelligence computing — what is known as a fabric chip — in a “multiyear, multibillion-dollar framework,” Intel said in a statement on Monday. The work would rely on Intel’s 18A process, an advanced chipmaking technology. Intel shares rose more than 8 percent in late trading after the
GLOBAL ECONOMY: Policymakers have a choice of a small 25 basis-point cut or a bold cut of 50 basis points, which would help the labor market, but might reignite inflation The US Federal Reserve is gearing up to announce its first interest rate cut in more than four years on Wednesday, with policymakers expected to debate how big a move to make less than two months before the US presidential election. Senior officials at the US central bank including Fed Chairman Jerome Powell have in recent weeks indicated that a rate cut is coming this month, as inflation eases toward the bank’s long-term target of two percent, and the labor market continues to cool. The Fed, which has a dual mandate from the US Congress to act independently to ensure