Sign In

Communications of the ACM

ACM TechNews

Millions of Sensitive Records Exposed By Mobile Apps Leaking Back-End Credentials

View as: Print Mobile App Share:
Artist's representation of mobile phone data.

Researchers have determined that thousands of mobile applications implement cloud-based, back-end services in a way that allows anyone access to the sensitive records created by users.


Researchers from the Technical University and the Fraunhofer Institute for Secure Information Technology in Germany have found thousands of mobile applications implement cloud-based, back-end services in a way that lets anyone access millions of sensitive records created by users.

The researchers focused on applications that used backend-as-a-service (BaaS) frameworks. BaaS frameworks offer cloud-based database storage, push notification, user administration, and other services, with the goal of minimizing the knowledge needed to maintain the back-end servers of an application.

The researchers examined how developers user application programming interfaces, and found many of them include their primary BaaS access keys inside their apps. The researchers say this is a dangerous practice because mobile applications can be reverse-engineered to extract credentials and access back-end databases.

The researchers developed a tool that uses both static and dynamic analysis to identify which BaaS provider is used by an app and to extract the BaaS access keys from it; they ran this tool against more than 2 million Android and iOS apps and extracted 1,000 back-end credentials and associated database table names. In addition, the researchers found many of those credentials were reused in multiple apps, producing more than 18.5 million records containing 56 million data points.

From IDG News Service
View Full Article


Abstracts Copyright © 2015 Information Inc., Bethesda, Maryland, USA


No entries found