Tens of thousands of Android and iOS apps are leaking user data from the cloud. That’s according to a recent report highlighting research performed by mobile security firm Zimperium. In fact, based on an analysis run on more than 1.3-million apps from both platforms, showed that around 5-percent of apps were using public cloud services. And, among those, 14-percent exposed user data.
Now, that may seem like a small figure. But it does mean that, of the 84,000 apps on Android running Amazon Web Services, Google Cloud, Microsoft Azure, or other public cloud services, 11,877 Android apps were leaking user data. That’s as compared to iOS apps, 6,608 of which — from 47,000 using public cloud services — were leaking data.
For many of the apps in question, cloud storage is simply not configured properly. As a result, the data stored is effectively visible to anybody who knows how to look.
What data are these Android and iOS apps leaking?
In terms of what data is actually leaking out from these Android and iOS apps, that varies significantly. The company isn’t naming apps in their report because some still haven’t fixed things. And because there’s no feasible way to reach out to thousands of developers about the problem.
Of the apps that were detailed more deeply, there was at least one Fortune 500 company among them. That app is exposing user-session information and financial details. That’s on top of at least one medical app that’s storing test results and user profile images in the open. But most apps are leaking anything from personal details such as those or, in some cases, passwords. With the gamut running across the full array of potential data leaks depending on the purpose of the app in question.
So is anything being done to fix this?
As of this writing, Zimperium has reportedly reached out to several of the developers in question. But the firm has also said that the response to the communications has been minimal at best. And many of the apps in question still have data from users leaking. The security researchers also haven’t said whether or not any of the exposures have been located and misused. And that comes down mostly to the scale of the breach in question.
Perhaps worse, typical user protections simply won’t do the trick here. While those apps do a great job of protecting against other things, these problems are all on the cloud-side of the equation.
With nearly 20,000 apps misconfigured, some in ways that allow data to be changed or overwritten, it will ultimately be up to developers to fix the problem. Cloud providers have made it easier than ever to detect potential misconfiguration. They also do warn customers about them. Namely, the developers using the services. But those developers will need to dive back into their apps to ensure the appropriate protections are in place. And there’s no clear indicator of how long it will take until the apps are fixed.