Personally identifiable information (PII), financial data, medical records, account credentials, and intellectual property all require strict access controls to prevent unauthorized exposure. Unfortunately, mobile applications commonly used in both personal and professional settings can compromise this data, even when users believe they are following best security practices.
As mobile devices have become central to business operations, especially with widespread bring-your-own-device (BYOD) policies, they are increasingly serving as primary access points for digital services, they have also become a significant attack surface for data leaks and breaches.
To investigate the risks associated with mobile applications, zLabs, the research team at Zimperium, conducted an extensive analysis of 54,648 work-related apps (9,078 Android and 45,570 iOS) available through official app stores. These apps were found on enterprise device fleets monitored by Zimperium customers. The analysis focused on identifying vulnerabilities related to cloud integration and cryptographic practices.
Data Leaks Vs. Data Breaches
Data leaks differ from data breaches in that leaks typically result from poor security practices, negligence, or flawed data handling processes within apps, rather than from deliberate external attacks. Leaks occur when sensitive data is unintentionally exposed during transmission, storage, or use.
Cloud services, while widely adopted for their scalability and convenience, were identified as a major risk factor. Sixty-two percent of the analyzed apps incorporated cloud APIs or SDKs. Among Android apps, 103 were found using unprotected or misconfigured cloud storage.
Four of these apps were ranked within the top 1,000 most popular apps on the PlayStore. In several cases, file and directory indexes were viewable by the public, and full repository contents could be accessed without credentials. Continuous automated scanning of cloud repositories by malicious actors increases the likelihood that exposed data will be harvested for malicious use, including identity theft, blackmail, and spear-phishing attacks.
Further analysis revealed that 10 Android apps contained hardcoded credentials to AWS cloud services. These exposed credentials could allow attackers to read sensitive data, alter or delete records, or encrypt information without the need for a traditional ransomware attack.
Real-world incidents illustrate the severity of these vulnerabilities. One of the world’s largest automobile manufacturers recently suffered a data breach affecting approximately 260,000 customers due to a cloud misconfiguration.
Failing Encryption
Cryptographic weaknesses were also commonplace. Encryption is a key defense mechanism designed to render intercepted or stolen data unreadable. However, 88% of all analyzed apps and 43% of the top 100 apps used one or more cryptographic methods that failed to adhere to best practices.
Identified flaws included the use of hardcoded cryptographic keys, outdated algorithms such as MD2, insecure random number generators, and the reuse of cryptographic keys. These vulnerabilities increase the risk that sensitive data could be intercepted, decrypted, and exploited.
For entities, these cloud and cryptographic vulnerabilities are a major risk. Misconfigured cloud storage can lead to immediate exposure of sensitive corporate information. Poor encryption practices can violate data protection regulations such as GDPR, HIPAA, or MASVS. Financially, the average cost of a data breach stands at $4.88 million, with compromised credentials and cloud misconfigurations ranking among the most common initial attack vectors.
Protecting Our Digital World
“As we live in a digital world, much of our private and personal data is processed on digital channels,” says Boris Cipot, senior security engineer at Black Duck. “We depend on the web service or application providers to handle our data with care and protect it in transit while it’s being stored. However, as the latest finding from Zimperium shows, this is not the case.”
Cipot says cryptography is the foundation of secure communication and data storage. However, if flawed cryptographic algorithms are used or no protection is used, this is a highly alarming state. The presence of hardcoded keys and outdated algorithms is especially dangerous as they can be the reason for exposed high-volume data to be compromised.
“Misconfiguration in cloud storage and exposed credentials are like leaving the front door open and saying the house is safe. They invite attackers to steal data simply by exploiting sloppy security configurations or application security.
“Organisations need to accept that application security practices like secure development processes, application testing, strict security-backed configuration, and ongoing monitoring are not a choice, they are mandatory steps in today’s digital world necessary to manage software risk.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.