According to a new report from mobile security firm Zimperium, thousands of Android and iOS apps are actively leaving user data unsecured and readily available for bad actors to tamper with. Digital security is something that becomes increasingly more important with each day that passes, especially as people’s lives are increasingly handled from their phones. From remote work, online schooling, or virtually anything else, so much of it can be (and is) done from mobile apps on smartphones.
Apple and Google have taken big steps in recent years to make their respective mobile platforms as secure as can be, and in regards to things Apple and Google can control, both companies have made considerable progress. iOS 14 added visual indicators whenever an app is using the microphone or camera on someone’s phone, Android 11 allows users to grant permissions to apps on a one-time basis, and new features like this are regularly being added. Unfortunately, there are some security issues beyond Apple and Google’s control.
Zimperium recently conducted a test of over 1.3 million applications across Android and iOS, looking for “unsecured cloud configurations.” Of the 1.3 million apps that were tested, Zimperium discovered that 84,000 Android apps and 47,000 iOS apps were using public cloud services instead of operating their own independent servers. Out of those apps using public cloud services, 11,877 Android apps and 6,608 iOS apps were found to have sensitive user information readily exposed — including things like passwords, profile pictures, medical info, and more.
Why This Leak Is Happening & What You Can Do
These public cloud services include things like Amazon Web Services, Google Cloud, and Microsoft Azure. They’re considerably easier for developers to use as opposed to creating their own cloud solutions, but app developers using them need to ensure the data they’re storing is properly secured. If this isn’t done, Zimperium notes that app developers are “potentially allowing anyone to access and in some cases even alter data.” In the case of the 11,877 Android apps and 6,608 iOS apps, that’s exactly what happened.
Zimperium doesn’t explicitly mention which apps were found to be in this unsecured state, but it does give an idea as to what kinds of apps are at risk — the most troubling being a mobile wallet app from a Fortune 500 company, a public transit app from a “major city,” and a major online retailer. The majority of these unsecured apps exist in the Business category, accounting for 17.6% of the apps that Zimperium discovered. Tools, Social, Shopping, Communication, and Lifestyle all tie for second place with 8.8% each. Zimperium says it didn’t look to see if any of these applications have been abused by hackers, but given that the privacy doors are wide open for all of them, it’s only a matter of time if it hasn’t been done already.
So, what can someone reading this do to protect themselves? Not knowing what specific apps are at fault makes it difficult to take explicit action, but practicing good online safety in general is always the best defense against potential security breaches. Use secure and original passwords for all online accounts, take advantage of two-factor authentication whenever possible, and reset passwords on a semi-regular basis. It’s impossible to be 100% protected against something bad from ever happening, but doing these things ensures someone is in the best position possible in the event of a breach.
Source: Zimperium