Appthority apparently also warned Amazon.com Inc that it had found credentials for at least 902 developer accounts with cloud-service provider Amazon Web Services in a scan of over 20 000 apps.
Up to 180-million smartphone owners across the globe are at risk of having some of their text messages and calls intercepted by hackers. This, because of a simple coding error in at least 685 mobile apps, cyber-security firm Appthority warned on Thursday.
According to Seth Hardy, Appthority’s director of security research, developers mistakenly coded credentials for accessing services provided by Twilio Inc. Now, hackers could access those credentials by reviewing the code in the apps. They can then gain access to data sent over those services. This finding has highlighted the threat posed by the increasing use of third-party services such as Twilio.
Twilio provides mobile apps with functions like text messaging and audio calls. Inexperienced developers can inadvertently introduce security vulnerabilities to these apps if they do not properly code or configure such services. Hardy said that these vulnerabilities are not just limited to Twilio. He said that it is a common problem across all third-party services.
Appthority have also noticed that if developers make a mistake with one service, they will often do so with other services as well. Many apps use Twilio to send text messages, process phone calls and handle other services. Hackers could easily access the related data if they log into the developer accounts on Twilio.
The mistakes were made by the developers and not by Twilio, Hardy pointed out. Twilio’s website does warn developers that leaving credentials in apps could expose their accounts to hackers. According to Twilio spokesperson Trak Lord, the company has no evidence that hackers used credentials coded into apps to access customer data. But, that it was working with developers to change the credentials on affected accounts.
Users should note that the vulnerability only affects calls and texts made inside of apps that use messaging services from Twilio. According to Appthority’s report, this includes several business apps for recording phone calls. It is widely known that credentials for back-end services like Twilio are coveted by hackers. Developers often reuse their accounts to build multiple apps.
In a survey of just over 1000 apps, Appthority found 685 problem apps that were linked to 85 affected Twilio accounts. This means that the theft of credentials for one app’s Twilio account could pose a security threat to all users of as many as eight other apps. Appthority has also stated that it warned Amazon.com Inc that it had found credentials for at least 902 developer accounts with cloud-service provider Amazon Web Services in a scan of over 20 000 different apps. Those credentials could be used to access app user data stored on Amazon.