Researchers: Cloud Services Compromise Mobile Apps
Cloud-based back-end services are letting mobile app developers down, according to research announced this week. Even when app developers are careful about their own code, the online services that they use introduce vulnerabilities on a regular basis.
The research, from the Georgia Institute of Technology and The Ohio State University, studied the top 5,000 apps on the Google Play Store. It found that between them, they were using 6,869 server networks across the world.
They scanned cloud-based back-ends and found 1,638 vulnerabilities, of which 655 were zero-days not listed in the National Vulnerability Database. These included SQL injection, cross-site scripting and external XML entity attacks. Some of the apps affected had over 50 million installations, according to their paper.
Mobile apps access back-end services using third-party software-development kits (SDKs) and APIs. Developers use some of them explicitly, but many others are hidden in imported third-party libraries. The apps that use these services communicate with them invisibly. Users don’t know what the services are doing or exactly which servers their phones are talking with when their apps fetch content and advertisements.
“Due to the inherent complexity of cloud-based backends, deploying and maintaining them securely is challenging. Consequently, mobile app developers often disregard prudent security practices when choosing cloud infrastructure, building, or renting these backends,” the researchers said.
This opens up the apps to additional vulnerabilities that could compromise locally running code or leak user data, they added, citing the compromise of the British Airways website, which allowed attackers to steal data from the app.
The researchers scanned the apps with a tool called SkyWalker, which they will soon make available for app developers to audit the cloud-based tools that they are building into their apps.
They will present their findings at the USENIX Security Symposium in Santa Clara, California, which runs August 14–16, 2019.
Source: InfoSecurity Magazine – http://www.infosecurity-magazine.com/