Mobile-app errors expose data on 180 million phones: security firm

  • TECH
  • Friday, 10 Nov 2017

FILE PHOTO: A banner for communications software provider Twilio Inc., hangs on the facade of the New York Stock Exchange (NYSE) to celebrate the company's IPO in New York City, U.S., June 23, 2016. REUTERS/Brendan McDermid - D1BETLOVETAA

A simple coding error in at least 685 apps put millions of smartphone users at risk of having some of their calls and text messages intercepted by hackers, cybersecurity firm Appthority warned on Nov 9. 

Developers mistakenly coded credentials for accessing text messaging, calling and other services provided by Twilio Inc, said Appthority's director of security research, Seth Hardy. Hackers could access those credentials by reviewing the code in the apps, then gain access to data sent over those services, he said. 

Affected apps include the AT&T Navigator app pre-installed on many Android phones and more than a dozen GPS navigation apps published by Telenav Inc. Such apps have been installed as many as 180 million times on Android phones and an unknown number of times on Apple's iOS-based devices. 

Shares of Twilio slid nearly 7% after the Appthority report. Hackers covet Twilio credentials because they are used in a variety of apps that send text messages, process phone calls and handle other services. Hackers could access related data if they log into a developer's Twilio account, Hardy said. 

Appthority, cautious not to tip off potential hackers, did not list all the apps that could be vulnerable. Twillio's website says its users include Uber Technologies Inc and Netflix Inc. However, large companies like those typically have security reviews that catch common coding errors like the one Appthority described. 

There was no indication that Uber or Netflix were affected by the problem. 

The findings highlight new threats posed by the increasing use of third-party services such as Twilio, which says on its website that it powers communications for more than 40,000 businesses worldwide. Developers can inadvertently introduce security vulnerabilities if they do not properly code or configure such services. 

“This isn't just limited to Twilio. It's a common problem across third-party services," Hardy said. "We often notice that if they make a mistake with one service, they will do so with other services as well.” 

Appthority said it also warned Inc that it had found credentials for at least 902 developer accounts with cloud-service provider Amazon Web Services in a scan of 20,098 different apps. 

Those credentials could be used to access app user data stored on Amazon, Hardy said. 

A representative with Amazon declined comment. 

One problem with third-party services is that developers often use the same account across multiple apps, similar to how consumers might use one email address for a variety of financial services and can have fraud problems at all of them if hackers compromise that single email account. 

Appthority found Twilio credentials exposed in a now-defunct version of the AT&T Navigator mapping and GPS app. The AT&T app was a re-branded version of an app originally built by Telenav. 

Appthority found that newer versions of the AT&T app appeared to be safe, but data sent over them could still be at risk if the developer of a related app is still using the same Twilio account. It said the same Twilio credentials were found coded in more than a dozen other Telenav apps. 

AT&T and Telenav could not immediately be reached for comment. 

The mistakes were caused by developers, not Twilio, Hardy said. Twilio's website warns developers that leaving credentials in apps could expose their accounts to hackers. 

Twilio spokesman Trak Lord said the company has no evidence that hackers used credentials coded into apps to access customer data but was working with developers to change credentials on affected accounts. 

The Twilio vulnerability only affects calls and texts made inside of apps that use its messaging services, including some business apps for recording phone calls such as Wrappup and RingDNA, according to Appthority's report. Wrappup an RingDNA could not immediately be reached for comment. 

In a survey of 1,100 apps, Appthority found 685 problem apps that were linked to 85 affected Twilio accounts. That suggests the theft of credentials for one app's Twilio account could pose a security threat to all users of as many as eight other apps. 

Twilio's shares closed down 6.8% at US$25.93 (RM108.71). Shares had rallied in pre-market trading after Twilio beat revenue expectations and raised its revenue forecast during an earnings report after the markets closed on Wednesday. — Reuters

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 1
Cxense type: free
User access status: 0
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!

Next In Tech News

Opinion: Tech industry must accept greater social responsibility
Indonesian unit of to discontinue all services at end of March - JD.ID website
Opinion: ChatGPT will change the future of education
Maybank2u and MAE app add ‘kill switch’ feature to combat online scams
Man with history of torturing women is using dating apps to lure new victims in Oregon,�US police say
US man accused of sexually abusing unconscious woman, recording it
Online system to seek asylum in US is quickly overwhelmed
Pet fish in Japan racks up credit card bill on Nintendo Switch
Elon Musk’s mysterious ways on display in Tesla tweet trial
Fact check: Are viral videos showing Covid-19 vaccine side effects accurate?

Others Also Read