Appthority on Thursday warned that up to 700 apps in the enterprise mobile environment, including more than 170 that were live in official app stores, could be at risk to due to the Eavesdropper vulnerability.
The company’s recent research revealed that the affected Android apps already may have been downloaded up to 180 million times. This vulnerability has resulted in a large-scale data exposure.
But how did this happen? The latest eavesdropper is the result of developers’ hard-coding credentials into mobile applications that utilize the Twilio Rest API or SDK. That goes against the best practices that Twilio recommends in its own documentation, and Twilio already has reached out to the development community, including those with affected apps, to work on securing the accounts.
This issue was first discovered by the authorities back in April and notified Twilio about the exposed accounts and their vulnerability.
This vulnerability exposes massive amounts of sensitive and even historical data, including call records, minutes of the calls made on mobile devices, and minutes of call audio recordings, as well as the content of SMS and MMS text messages. Something usually the iPhone 7 spy app are known for doing in the market.
How to Reduce the Risk
The best approach for an enterprise is to investigate and find out the Eavesdropper-vulnerable apps in its environment and determine whether the data exposed by the app is sensitive or not.
It is because not all conversations involve confidential information, and the nature of the app’s use in the enterprise may not involve data that is sensitive or of concern to the potential hackers.
So if the messages, audio content or call metadata turn out to be sensitive or proprietary, there may not be much that can be done about exposed conversations resulting from prior use of the app, same as in the case of iPhone 7 spy app that steals your data through its features.
However, there are different methods that can be followed to protect future exposures, including either addressing and confirming the fix with the developer or finding an alternate app that has the same or similar functionality without the Eavesdropper vulnerability. But in either of the case, one thing must be done i.e. the enterprise should contact developers to have them delete exposed files eavesdropped by the app.
Is Sloppy Coding the reason?
The Eavesdropper vulnerability is not limited to apps created using the Twilio Rest API or SDK. Developers have pointed out that hard-coding of credentials is a common developer error that can increase security risks in mobile applications.
The core problem is developer laziness, so what actually Appthority revealed in its research isn’t a particular revelation. Instead, it can be taken as another example of bad practices leading to bad results, as it’s very tempting for a coder to take shortcuts while developing an app, with the sincere intent of cleaning things up later. This practice leads to the security risk to the mobile phones and their sensitive information.
Since the apps are being developed by a single person or a small team, there are no routine quality control checks. This is another reason for this security risk. Right now, it’s up to the stores — Apple and Android, primarily — to do QC work, and they must be taking a look at this particular problem and might screen more thoroughly for hard-coded credentials in the future. But there is nothing that can be done about iPhone 7 spy app as such apps are not present in their app stores and they operate through their own sites and servers.
For security and privacy to come first, it may be essential for coding, in general, to go through a paradigm shift. Unfortunately, too often security is seen as a cost centre, and privacy is seen as the revenue generator for the company that develops the app.
Therefore, apps are often not secure — and consequently privacy is nonexistent — done deliberately to minimise cost and maximise revenue. The only way to combat these breaches is to actually pay full price for the apps consumers are using and to reject advertising-supported apps.
But there is No Easy Fix
One of the most worrisome facts about this vulnerability is that Eavesdropper app doesn’t rely on a jailbreak or root of the device, unlike many iPhone 7 spy apps. Nor does it take advantage of other known operating system vulnerabilities in your smartphone.
Moreover, the vulnerability is not resolved after the affected app has been removed from a user’s device. Instead, the app’s data remains open to exposure until the credentials are properly updated. This keeps the concern alive.
There isn’t any way out of this mess other than uninstalling all affected apps and hoping that your data hasn’t already been compromised. But same cannot be done about the iPhone 7 spy app as they often not appear in your installed apps lists.
There is also a concern, some users may purchase phones that are preloaded with apps that could compromise their personal information. The app selling platforms could force developers to update their app code by invalidating or revoking all access credentials to their compromised services APIs.
However, the sudden impact would be that a lot of valued consumer smartphone apps and services would simply stop working all at the same time which may create a huge gap.
It appears that users have few options, and it could be difficult for consumers even to have visibility into Eavesdropper-affected apps. In this scenario, a solution can be that those users who work at a company can ask their IT security team for a list of apps that are approved, and then delete vulnerable apps and install non-Eavesdropper affected apps instead.
But the bigger challenge is how to stop the flow of information from this breach while still providing access to valued services. This situation occurred in no small part because developers were sloppy. However, consumer attitudes likely played a role as well. Many people favor ease of use over mobile device security especially in case of Android smartphones.
Consumers are still too casual about their privacy and opt not to pay. They instead choose the option that includes their privacy monetized and compromised through sloppily coded apps as many iPhone 7 spy apps do.