Mobile security company Appthority said that nearly 700 apps used in enterprises feature a vulnerability that resulted in “large-scale data exposure”.
The company said that the flaw, tagged Eavesdropper, is a “real and ongoing threat”, impacting more than 170 apps which are live in official app stores today. Affected Android apps have been downloaded up to 180 million times.
Appthority said the list includes an app for secure communication for a federal law enforcement agency; an app which enables enterprise sales teams to record audio and annotate discussions in real-time, and branded and white-label navigation apps “for customers such as AT&T and US Cellular”.
Eavesdropper is the result of developers “carelessly hard coding their credentials in mobile applications that use the Twilio Rest API or SDK”, despite the fact this is clearly discussed in the company’s documentation – and Twilio has contacted the developers involved.
But the security firm said the issue is not specific to developers creating apps with Twilio: “Hard coding of credentials is a pervasive and common developer that increases the security risks of mobile apps.” Developers who do this once have a “high propensity” to make the same error with other services and tools, it said.
Eavesdropper does not rely on a jailbreak or root of the device, nor does it take advantage of a known vulnerability or attack via malware. “This vulnerability shows how a simple developer mistake of exposing credentials in one app can affect larger families of apps by that same developer using the same credentials, even compromising other apps where best practices were followed, using side-channel and historical attacks,” Appthority wrote.