Thousands of Mobile Apps Expose User Data from the Cloud: Zimperium

Numerous Android and iOS applications have jeopardized user data due to prevalent cloud misconfigurations, according to a mobile security firm. These vulnerabilities could be exploited by malicious actors to misuse the exposed information. The research identified misconfiguration issues in apps utilizing popular public cloud services like Amazon Web Services, Google Cloud, and Microsoft Azure. Notably, a mobile wallet from a Fortune 500 company was found to expose session and payment details, potentially leading to fraudulent activities.

Automated analysis by Zimperium scrutinized over 1.3 million Android and iOS apps, revealing misconfiguration problems in 14 percent of the total. The company’s blog post highlighted instances where apps leaked entire cloud infrastructure scripts, including SSH keys. Configuration issues extended to web server files, installation files, and even passwords for payment kiosks.

Exposed information encompassed personally identifiable data such as profile pictures, personal details, and medical test results. Some apps even facilitated fraud or disclosed intellectual property (IP) and internal systems. Medical and social media apps, a major gaming app, and a fitness app were among those exposing PII. Additionally, apps related to city transportation, online retail, gambling, music, news services, mobile payments, airports, hardware development, and Asian government travel were found to expose IP and system details. The specific names of these apps were not disclosed by Zimperium.

During the review, Zimperium encountered apps relying on accessible Google and Amazon storage without adequate security. In one instance, information obtained included profile pictures and other PII. Misconfigurations, in some cases, empowered hackers to modify or overwrite data, causing further disruption to end users.

Wired reported that 11,877 Android apps and 6,608 iOS apps were exposing sensitive user information due to common cloud misconfigurations. Despite notifying app developers of these exposures, many apps continued to leak data, and responses from developers were generally minimal.

While cloud service providers offer tools to protect data, the responsibility lies with developers and app companies to implement secure configurations. Zimperium emphasized the need for developers to close off unauthorized access and incorporate secure software development practices. Importantly, Zimperium is part of Google’s App Defense Alliance, contributing to automated app scanning for Google Play to enhance security measures. The tools used for investigating cloud misconfigurations were adapted from those employed in the App Defense Alliance program, focusing on identifying potentially malicious functionalities instead of accidental exposures.