There’s increasing pressure on application developers to churn out mobile apps as the workforce does more of their communications on smart phones and tablets. To help them a number of providers such as Amazon Web Services, Parse.com (now owned by Facebook) and CloudMine2 offer back end services in the cloud.
But a report presented by German security researchers at last week’s Black Hat Europe conference in Amsterdam warns some of those services are “alarmingly insecure” and could be a back door security risk. That’s because many apps embed hard-coded credentials, putting not only the user’s data, but the whole platform at risk, they say.
With current tools “attackers can gain access to huge amounts of sensitive data such as millions of verified e-mail addresses, thousands of health records, complete employee and customer databases, voice records, etc.,” write the researchers from the Technical University’s Center for Advanced Security Research and the Fraunhofer Institute for Secure Information Technology.
“Often, one can manipulate, and delete records at will,” their paper says. “Some BaaS (backend-as-a-service) instances even suffer from remote code-execution vulnerabilities.”
Researchers analyzed over 2 million Android and iOS applications and found over 1,000 backend credentials, many of them re-used in several applications. That lead to finding more than 18.6 million records with over 56 million individual data items.
The report serves as a warning to application developers that there are no short-cuts, no matter how big the name behind the cloud service is. “In general, app developers need to better understand that every app has security implications,” the report concludes “which must be taken into consideration as part of the basic design of the app.”
At the same time BaaS providers should include easily usable end-to-end encryption and authentication methods into their open-source client SDKs, they add.
Cloud storage offers developers an easy way to synchronize data between devices and platforms. Often, such services also include capabilities such as user authentication, storing key-value pairs, social-media integration or push notifications. All the developer has to do is add a few lines of code to link to the service.
But a look at the top three providers — Amazon, Parse.com and CloudMine2 — found while they do have security controls “their defaults are mostly alarmingly insecure,” researchers said. “Application developers usually accept these defaults for convenience, failing to include appropriate means of protection such as access control or data encryption.
“By default, most BaaS solutions require an application only to authenticate using an ID that uniquely identifies the app, and a so-called “secret” key, used to indicate that the app uses the ID legitimately. These credentials, however, neither authenticate a device nor a user. They merely authenticate the app as such and are therefore shared between all installations of this app. As we show, adversaries can extract these two values from apps with ease, allowing them to easily forge a malicious application, which inherits the very same backend-privileges that the original application had. If the original application was able to list all records of a customer database, the impersonator can do so as well.”
Researchers created an automated tool dubbed HAVOC, which they say not only finds simply embedded credentials based on static analysis but also uses a hybrid (static/dynamic) analysis for cases where keys are computed at runtime. The implication is if they can create that tool, so can hackers.