9 NOV 2017
Poor mobile app development practices have created the Eavesdropper vulnerability, which has resulted in a large-scale data exposure from nearly 700 apps in enterprise mobile environments, over 170 of which are live in the official app stores today.
The affected Android apps alone have been downloaded up to 180 million times.
According to researchers at Appthority, Eavesdropper is caused by developers hard-coding their credentials in mobile applications that use the Twilio Rest API or SDK, despite the best practices the company outlines in its documentation. As a result, those applications then give full access to all records stored in the Twilio backend for the developer’s account.
Over the lifetime of the apps and the developer’s use of the same credentials, the Eavesdropper vulnerability exposes massive amounts of sensitive current and historic data, including hundreds of millions of call records, minutes of calls, minutes of call audio recordings, and SMS and MMS text messages.
“Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning,” said Seth Hardy, Appthority director of security research. “An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data.”
Examples of apps with the Eavesdropper vulnerability include an app for secure communication for a federal law enforcement agency, an app that enables enterprise sales teams to record audio and annotate discussions in real-time, and branded and white-label navigation apps for customers such as AT&T and US Cellular.
Further, Appthority said that the issue is not specific to developers who create apps with Twilio.
“Hard-coding of credentials is a pervasive and common developer error that increases the security risks of mobile apps,” said Appthority researchers, in an analysis. “[We] are finding that developers who hard-code credentials in one service have high propensity to make the same error with other services, such as between app tools, in this instance, and data storage like Amazon S3.”
Notably, Eavesdropper does not rely on a jailbreak or root of the device, nor does it take advantage of a known OS vulnerability or attack via malware. Rather, this vulnerability shows how a simple developer mistake of exposing credentials in one app can affect larger families of apps by that same developer using the same credentials, even compromising other apps where best practices were followed, using side-channel and historical attacks.