Behind the Mobile App: Your Data Exposed

By on Dec 22, 2015

Taylor Swift dropped a musical explosion when she released her music video for the song “Bad Blood” earlier this year. The song and its accompanying video captivated audiences as it depicted something many could relate to – being betrayed by a trusted peer. Who would have thought the basis of a song could also be applied to our mobile phones? More specifically, mobile apps.

Whether it’s Facebook, Amazon, or Candy Crush, mobile users are crazy about their apps. But, do they love us back? In a recent study performed by researchers from the Technical University and the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany it was found that thousands of mobile apps implement cloud-based, back-end services in a way that lets anyone access users’ sensitive records. Thus, mobile apps are not as secure as we’d like to think they are. That’s one way to create “Bad Blood” between users and their apps.

What are back-end services, you ask? Backend-as-a-service (BaaS) offer cloud-based database storage. These services provide the apps with push notifications, user administration, and more. Mobile apps use this service to make their apps seamless to use, while also minimizing the knowledge developers need to maintain the back-end servers of an app.

When developers use BaaS, they integrate the BaaS software into their apps and use the back-end service through simple application programming interfaces, better known as APIs. What researchers found, however, was that developers use APIs in the primary BaaS access key in the apps, which is bad news for app users because this practice allows data to be exposed. Mobile apps are easily reverse-engineered to extract the credentials needed to access back-end databases, where users’ data is hosted.

The researchers took their study one step further to see just how bad this problem was. They tested more than 2 million Android and iOS apps and were able to extract 1,000 back-end credentials. Many of the credentials were reused in multiple apps created by the same developers. From the back-end credentials, more than 18.5 million records were exposed.

Although the researchers didn’t download the records, they still could see what types of data were being exposed. This included user-specific location data, birthdays, contact information, telephone numbers, pictures, valid email addresses, purchase data, and private messages. Data you wouldn’t want criminals to have access to, right?

While the problem is mostly out of your hands and in the hands of the developers, there are still things you can do to help protect your data!

  • Be cautious when you download mobile apps to your device. Always make sure to read the privacy policy and understand what type of access you’re giving to the app.
  • Stick with well-known apps that have third party security validation.
  • Don’t unlock or tamper with your Android or iPhone. Doing so exposes you to more threats and allows hackers to easily download your information.

As this is our last mobile blog for 2015, we wanted to take a moment to remind you the importance of keeping your device secure. In the New Year, hackers will find even more ways to infiltrate your device, so treat yourself (and your mobile device) to McAfee® Mobile Security, for both Android and iOS to start your New Year right! See you in 2016.

lianne-caetano

About the Author

Lianne Caetano

Lianne Caetano currently serves as Director of Global Product Marketing for the Cloud BU at McAfee. During her 7+ years at McAfee, she has held leadership roles in the consumer and enterprise divisions where she has helped shape product portfolios and strategic direction along with advocating for cybersecurity education. Prior to McAfee, Lianne has worked ...

Read more posts from Lianne Caetano

Subscribe to McAfee Securing Tomorrow Blogs