The exposure of sensitive data such as usernames and passwords has received a great deal of attention in recent months. Users are generally better informed that they need to check for a padlock icon to ensure that data is transmitted securely.
However, the proliferation of mobile applications storing usernames and passwords has created a new risk that end users do not necessarily identify. In fact, mobile applications provide little – if any – tangible indication of encryption of the transferred data. Maybe if they did, trust would be greater.
Unfortunately, many application developers add to the problem by not implementing the required security features. The cloud has certainly helped many of them save money and launch their products faster, but some do not have the security controls in place to keep their customers safe.
A recent study conducted by the Technical University of Darmstadt and the Fraunhofer Institute is a good illustration of the problem. Researchers have discovered a large number of mobile applications open to attacks that allow third parties to access unencrypted user information because cloud-safe mobile backup practices can be safe. By studying 750,000 Android and iOS apps, and cloud databases like Parse from Facebook, and AWS, the searchers found nothing less than 56 million sets of unprotected user IDs.
The attack takes advantage of a flaw in the way application developers store user databases on cloud-based storage services (also known as backend as a service , or BaaS ). Many developers choose BaaS because it allows them to store and synchronize with the cloud quickly and easily, in just a few lines of code. Some developers use these services to share public data – which is acceptable as long as the data is read-only and the user is informed – but many go so far as to use it to store identifiers, e-mail addresses, photos, etc.
Most importantly, while cloud service providers offer secure data storage options, a large portion of application developers do not use them – either deliberately or by misunderstanding, without misunderstanding how they work.
The problem does not lie in the very concept of storing this data in cloud mode. Developers have many legitimate reasons for this, starting with the synchronization of data between terminals. The problem is that in almost all cases of the study, developers have taken the simplest option to access its BaaS systems, using only a secret key for authentication. Key stored in the application and therefore accessible to anyone with the appropriate decompiling tools.
And the problem is not limited to obscure applications that no one uses. The developers of some of the most popular apps from the Apple App Store and the Google Play Store also proceeded slightly.
As the end user, there is unfortunately little that can be done to control his data in this context. But companies can control which applications users are allowed to install: this control can help reduce the risk. But it’s also important to educate users about not storing business IDs in personal apps. And that they should use a different password for each online service they use.
Because this problem emphasizes again the importance of choosing a different password for each application and each service in order to make sure to be affected at least in case of compromise of identifiers.
For their part, application developers have many options at their disposal to securely store user data. Most leading cloud service providers offer comprehensive documentation on how to use their services as safely as possible. With its Cognito service, Amazon has even sought to further simplify the process.
But ultimately, the key is in the hands of developers: it is up to them to choose to use the tools made available to them by their service providers.