* Flaw leaves data stored by apps vulnerable -researchers
* Almost every category of app considered vulnerable
* Passwords, addresses, photos, medical data all at risk
* Records affected "will likely be in the billions"
By Jeremy Wagstaff
SINGAPORE, June 17 Security researchers have
uncovered a flaw in the way thousands of popular mobile
applications store data online, leaving users' personal
information, including passwords, addresses, door codes and
location data, vulnerable to hackers.
The team of German researchers found 56 million items of
unprotected data in the applications it studied in detail, which
included games, social networks, messaging, medical and bank
transfer apps.
"In almost every category we found an app which has this
vulnerability in it," said Siegfried Rasthofer, part of the team
from the Fraunhofer Institute for Secure Information Technology
and Darmstadt University of Technology.
Team leader Eric Bodden said the number of records affected
"will likely be in the billions".
Another security researcher working separately, Colombian
Jheto Xekri, said he had also found the same flaw.
The problem, Bodden said, is in the way developers - those
who write and sell the applications - authenticate users when
storing their data in online databases.
Most such apps use services like Amazon's Web Services or
Facebook's Parse to store, share or back up users' data.
While such services offer ways for developers to protect the
data, most choose the default option, based on a string of
letters and numbers embedded in the software's code, called a
token.
Attackers, Bodden says, can easily extract and tweak those
tokens in the app, which then gives them access to the private
data of all users of that app stored on the server.
The researchers said they had no documented evidence that
the vulnerability had been exploited.
The vulnerable applications, which they declined to name,
number in the tens of thousands, and include some of the most
popular on the Apple and Google app stores.
Rasthofer said all four companies had responded to their
findings; he said Apple staff had told him on Monday that they
would soon incorporate warnings to developers to double check
their security settings before uploading apps to its App Store.
Google declined to comment, while Apple and Amazon
did not respond to queries.
A Facebook spokesperson said that after researchers
notified it of the vulnerability the company had been working
with affected developers. She declined to provide details.
APP DEVELOPERS RESPONSIBLE
Facebook's Parse lists among its customers some of the
world's biggest companies - all of which, Rasthofer said, were
potentially affected.
Security researchers say mobile applications are more at
risk of failing to secure users' data than those running on
desktop or laptop computers. This is partly because implementing
stronger security is harder, and partly because developers are
in a rush to release their apps, said Ibrahim Baggili, who runs
a cybersecurity lab at the University of New Haven.
Others pointed to weaknesses in the ways apps transmit data.
Bryce Boland, Asia Pacific chief technology offer at internet
security company FireEye, said the report reflected
deeper problems.
He said FireEye regularly found developers send users' names
and passwords unencrypted, "so it's not surprising to find them
storing them insecurely as well".
Bodden likened his team's discovery to the Heartbleed bug, a
web-based vulnerability reported last year that left half a
million web servers susceptible to data theft. Security
researchers said this might be worse, since there was little
users could do, and exploiting the vulnerability was easy.
"The amount of effort to compromise data by exploiting app
vulnerabilities is far less than the effort to exploit
Heartbleed," said Toshendra Sharma, founder of Bombay-based
mobile security company Wegilant.
Other security researchers say that while responsibility for
weak authentication lies with those developing the apps, others
in the chain should shoulder some of the blame.
"The truth is that there is plenty of fault to go around,"
said Domingo Guerra, co-founder of mobile security company
Appthority. Cloud providers and app stores, he said, should
ensure best practices are implemented correctly and test apps
for such holes.
(Additional reporting by Mari Saito, Julia Love; Editing by
Will Waterman)