Millions of Android, iOS users at risk of losing private data due to unsecured apps: Zimperium

For the past few years, there has been a steady increase in users migrating to smartphones, as it gets services such as transfer of money, hail cabs, food delivered in quick time. But, the Covid-19 outbreak in early 2020 has fast-tracked the adoption of the digital lifestyle.

This apparently attracts bad actors to prey on naive users. While we advise the latter to be cautious, it is also imperative for app developers to be responsible for securing the user-data they store in either on their own cloud storage or third-party service providers such as Microsoft Azure, Google, and Amazon Web Services, among others.

Now, it has come to light that thousands of Android and iOS apps, installed on hundreds of millions of phones are leaking user data, reported Zimperium’s zLabs Team.

"In our analysis, 14% of mobile apps that use cloud storage had unsecure configurations and were vulnerable to the risks described in this post. In apps around the world and in almost every category, our analysis revealed a number of significant issues that exposed PII, enabled fraud, and/or exposed IP or internal systems and configurations," noted the Zimperium security team.

Without naming any particular company, the cyber researchers said thousands of App developers have failed to secure the user-data from leaking from the backend server, due to misconfiguration of cloud protection protocol.

If this loophole isn't fixed soon enough, it may give a chance for hackers to sneak into an app company's server to manipulate or steal personally identifiable information (PII), such as profile pictures, personal details (addresses, financial information, etc), and medical details (medical test data).

For instance, consider a user has taken a photo of a bank cheque through a third-party camera or any other utility app, which by the way gets stored on the latter's cloud storage and what if it comes into the hands of a criminal. The latter can forge it for illegal purposes.

Then the news comes out that this particular app's security is compromised on the web and this will not only hurt the app's brand value as people might uninstall them but also bad actors may take over the company's server to block the operations for ransom.

In a worst-case scenario, intelligent hackers can study the critical operation network architecture of one company and attack others with a similar work-flow system leading to worldwide DDoS (Distributed Denial-of-Service) attacks.

Zimperium has suggested the affected app companies secure external access to the servers from the outside world and revamp their cloud security setup with a more robust architecture.

It should be noted that Zimperium is one of three prominent members (the other two are--ESET and Lookout) of Google's App Defense Alliance, whose primary objective is to detect and block malware-laced apps entering the Android ecosystem via the Play store.

Read more | Google forms App Defense Alliance, wages war on malware

In this report, Zimperium report reveals that apps with compromised cloud protections mainly come under business (17%), shopping (8.8%), tools (utility such as scanners, pdf convertors, etc), social media, lifestyle, health & fitness, and news & magazines.

Get the latest news on new launches, gadget reviews, apps, cybersecurity, and more on personal technology only on DH Tech.