Security researchers have discovered a flaw in the way mobile apps store data online, which is jeopardizing users' sensitive information, including passwords, door codes, and location data. According to Reuters, a team of German researchers studied as many as ten thousand mobile applications, which included social networking, medical, and banking apps, and subsequently found over 56 million pieces of unprotected data.
"In almost every category we found an app which has this vulnerability in it," said Siegfried Rasthofer, part of the team from the Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology.
Team leader Eric Bodden believes that the number of records affected by the vulnerability "will be in the billions". He is also reportedly comparing his team's discovery to Heartbleed, stating that this newest vulnerability might be far worse due to users' limited ability to protect themselves and to the ease with which attackers can exploit the flaw. The flaw pertains to the way app developers authenticate users when storing their data in online databases. When developers back up users' information, most services choose to protect that data via the use of a token, or a string of letters and numbers embedded in the software code. This newest flaw illustrates that attackers can extract and modify those tokens, giving them access to users' potentially sensitive information.
As of this writing, there is no evidence that the research team's discovery has been exploited in the wild. Ibrahim Baggili, who runs a cybersecurity lab at the University of New Haven, explains that this flaw reflects the fact that most developers are rushing to release their applications to users as soon as possible, a trend which helps make mobile applications less reliable than apps on desktops and laptops when it comes to protecting users' information. Along these same lines, other researchers are not surprised by this flaw due to the tendency of developers to transmit users' usernames and passwords in an unencrypted form to online databases. Even so, developers are not the only guilty party. As argued by Domingo Guerra, co-founder of mobile security company Appthority, cloud providers and app stores also have a responsibility when it comes to ensuring developers incorporate best practices and testing applications for security holes.