Thousands of Android and iOS Apps Leak Data From the Cloud

For years, simple setup errors have been a major source of exposure when companies keep data in the cloud. Instead of carefully restricting who can access the information stored in their cloud infrastructure, organizations too often misconfigure their defenses. It’s the digital equivalent of leaving the windows or doors open at your house before going on a long vacation. That leaky data problem applies to more than just the web services that typically grab headlines. Mobile security firm Zimperium has found that these exposures pose a major problem for iOS and Android apps as well.

Zimperium ran automated analysis on more than 1.3 million Android and iOS apps to detect common cloud misconfigurations that exposed data. The researchers found almost 84,000 Android apps and nearly 47,000 iOS apps using public cloud services—like Amazon Web Services, Google Cloud, or Microsoft Azure—in their backend as opposed to running their own servers. Of those, the researchers found misconfigurations in 14 percent of those totals—11,877 Android apps and 6,608 iOS apps—exposing users’ personal information, passwords, and even medical information.

“It’s a disturbing trend,” says Shridhar Mittal, Zimperium’s CEO. “A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up and, because of that, data is visible to just about anyone. And most of us have some of these apps right now.”

The researchers reached out to a handful of the app makers they found with cloud exposures, but they say the response was minimal and many apps still have exposed data. This is why Zimperium isn’t naming affected apps in their report. Additionally, the researchers can’t notify tens of thousands of developers. Mittal says, though, that the services they looked at run the gamut from apps with a few thousand users to those with a few million. One of the apps in question is a mobile wallet from a Fortune 500 company that’s exposing some user session information and financial data. Another is a transportation app from a large city that’s exposing payment data. The researchers also found medical apps with test results and even users’ profile images out in the open.

Given that Zimperium found nearly 20,000 apps with cloud misconfigurations, the company didn’t attempt to individually assess whether attackers have already discovered and abused any of the exposures. But these open doors and windows would be easy for bad actors to find using the same publicly available information that Zimperium used in its research. Hacking groups already do this type of scanning to find cloud misconfigurations in web services. And Mittal says that, in addition to sensitive user data, the researchers also found network credentials, system configuration files, and server architecture keys in some of the exposed app storage that attackers could potentially use to gain deeper access to an organization’s digital systems.

On top of all of that, the researchers found that some of the misconfigurations would allow bad actors to change or overwrite data, creating additional potential for fraud and disruption.

Though major cloud providers like AWS have made an effort to proactively detect possible misconfigurations and warn customers about them, it ultimately comes down to developers and IT administrators checking to confirm that things are set up as intended.

“It absolutely makes sense that misconfiguration could be a widespread issue,” says Will Strafach, a longtime iOS security researcher and creator of the Guardian Firewall app. “I’ve seen AWS buckets with bad permissions, and I’ve also seen multiple VPN nodes exposing data. I’ve seen a lot of apps from companies who should know better that have horrible security issues.”