Tens of thousands of Android and iOS apps leak user data from the cloud. This is according to a recent report highlighting research done by mobile security company Zimperium. In fact, based on an analysis performed on over 1.3 million apps from both platforms, showed that around 5% of apps used public cloud services. And, of these, 14% exposed user data.
Now that might sound like a small number. But that means that out of the 84,000 applications on Android running Amazon Web Services, Google Cloud, Microsoft Azure, or other public cloud services, 11,877 Android apps were leaking user data. That’s compared to iOS apps, of which 6,608 – out of 47,000 using public cloud services – were leaking data.
For many of the apps in question, cloud storage is just not configured correctly. As a result, the stored data is effectively visible to anyone who knows how to look.
What data are these Android and iOS apps leaking?
When it comes to what data actually escapes from these Android and iOS apps, it varies widely. The company doesn’t name the apps in their report because some still haven’t fixed things. And because there is no feasible way to contact thousands of developers about the problem.
Among the apps that were detailed in more detail, there was at least one Fortune 500 company among them. This app exposes user session information and financial details. This is in addition to at least one medical app that stores test results and user profile pictures in the open. But most apps disclose personal information like these or, in some cases, passwords. With the range covering all potential data leaks depending on the purpose of the application in question.
So, is something being done to solve this problem?
As of this writing, Zimperium has reportedly contacted several of the developers in question. But the firm also said the response to communications was minimal at best. And many of the apps in question still have leaked user data. Security researchers also did not indicate whether any of the exhibits were localized and misused. And it mainly comes down to the magnitude of the breach in question.
Maybe worse, typical user protections just won’t do the trick here. While these apps do a great job of protecting against other things, these issues are all on the cloud side of the equation.
With nearly 20,000 apps misconfigured, some in a way that allows data to be changed or overwritten, ultimately it will be up to the developers to fix the problem. Cloud providers have made it easier than ever to detect possible configuration errors. They also warn customers about them. Namely, developers using the services. But these developers will need to dig back into their applications to ensure the proper protections are in place. And there’s no clear indicator of how long it will take for apps to fix.