Millions of sensitive records exposed by mobile apps leaking back-end credentials
The analysis was performed by researchers from the Technical University and the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, and the results were presented Friday at the Black Hat Europe security conference in Amsterdam. It targeted applications that use Backend-as-a-Service (BaaS) frameworks from providers like Facebook-owned Parse, CloudMine or Amazon Web Services.
BaaS frameworks offer cloud-based database storage, push notification, user administration and other services that developers can easily use in their apps. Their goal is to minimize the knowledge needed to maintain the back-end servers of an application.
All developers have to do is sign up with a BaaS provider, integrate its software development kit (SDK) in their applications, then use its services through simple application programming interfaces (APIs).
The researchers looked at how developers use APIs and discovered that many of them include their primary BaaS access keys inside their apps. This a very dangerous practice, because applications, especially mobile ones, can be easily reversed engineered to extract such credentials and access their back-end databases.
In order to see how widespread the problem was, the researchers built a tool that uses both static and dynamic analysis to identify which BaaS provider is used by an application and to extract the BaaS access keys from it, even if they’re obfuscated or computed at runtime.
They ran their tool against more than two million Android and iOS apps and extracted 1,000 back-end credentials and associated database table names. Many of those credentials were reused in multiple apps from the same developer and, in total, they provided access to over 18.5 million records containing 56 million data items.
The researchers did not actually download the records, but they were able to count them and figure out their type by simply looking at the database tables. The records included car accident information, user-specific location data, birthdays, contact information, telephone numbers, pictures, valid email addresses, purchase data, private messages, baby growth data and even whole server backups.
The researchers even found a mobile Trojan that used a BaaS service to store data and SMS messages stolen from infected devices, along with the attackers’ own commands and planned tasks.
The inclusion of BaaS credentials in applications not only exposes data records to theft by anyone, but also to manipulation or deletion. Attackers could also use the credentials to store data in those databases at the expense of the real account owners who might not even realize that this is happening.
Google, Apple and the BaaS providers have been contacted about the issue since April, and in turn notified some of the developers whose apps were affected. However, as of Nov. 12, access to over 52 million data items was still freely available with the exposed credentials, the researchers said.
Some of this data is in limbo, because the apps that created it don’t even exist anymore as their developers moved on to other things. The service providers can’t simply delete it either, because the accounts are still active.
This suggests that developers either don’t care or don’t know how to fix the problem.
Some BaaS providers, like Amazon and Parse, offer more advanced access control and the ability to authenticate individual app users with the back-end services instead of the whole app. However these can be hard to implement.
In some cases, implementing such identity management is so complicated that it defeats the primary goal of BaaS frameworks, which is to simplify developers’ jobs.
It’s no wonder that developers choose the easy route, which is also the insecure one, the researchers said.
While this is ultimately the developers’ problem, BaaS providers could improve their documentation so that even app creators with no security education can understand how to use the technology and the risks they're exposed to if they don’t do it properly. Providers could even force developers to take action by detecting apps that access their services using root access keys and displaying a warning, the researchers said.