SAN FRANCISCO, Calif. – Nov 9, 2017 – Today, Appthority, the global leader in enterprise mobile threat protection, published research on its recent discovery of the Eavesdropper vulnerability, which has resulted in a large-scale data exposure. Eavesdropper is caused by developers carelessly hard coding their credentials in mobile applications that use the Twilio Rest API or SDK, despite best practices the company clearly outlines in its documentation. Twilio has reached out to all developers with affected apps and is actively working to secure their accounts.
Appthority security researchers have identified this as a real and ongoing threat affecting nearly 700 apps in enterprise mobile environments, over 170 of which are live in the official app stores today. Affected Android apps alone have been downloaded up to 180 million times.
Examples of apps with the Eavesdropper vulnerability include an app for secure communication for a federal law enforcement agency, an app that enables enterprise sales teams to record audio and annotate discussions in real-time, and branded and white label navigation apps for customers such as AT&T and US Cellular.
This issue is not specific to developers who create apps with Twilio. Hard coding of credentials is a pervasive and common developer error that increases the security risks of mobile apps. Appthority researchers are finding that developers who hard code credentials in one service have high propensity to make the same error with other services, such as between app tools, in this instance, and data storage like Amazon S3.
Over the lifetime of the apps and the developer’s use of the same credentials, the Eavesdropper vulnerability exposes massive amounts of sensitive current and historic data, including hundreds of millions of:
- call records
- minutes of calls
- minutes of call audio recordings
- SMS and MMS text messages
Notably, Eavesdropper does not rely on a jailbreak or root of the device, nor does it take advantage of a known OS vulnerability or attack via malware. Rather, this vulnerability shows how a simple developer mistake of exposing credentials in one app can affect larger families of apps by that same developer using the same credentials, even compromising other apps where best practices were followed, using side-channel and historical attacks. Moreover, this vulnerability isn’t resolved by removing an affected app from the app store or user’s devices. The lifetime of the app’s data and the data from other apps created by that developer is exposed until the credentials for all apps are properly updated and, of course, not disclosed in clear text in the apps.
“Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning,” said Seth Hardy, Appthority Director of Security Research. “An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data.”
The Appthority Mobile Threat Team (MTT) first discovered the Eavesdropper vulnerability in April 2017 and notified Twilio in July 2017 about the exposed accounts. The oldest iOS affected app is from 2009 with one or more compromised accounts affected since 2011. Appthority Mobile Threat Protection (MTP) is the only Mobile Threat Defense solution that can identify the Eavesdropper vulnerability.
Unfortunately, Eavesdropper is just the latest data leakage discovery by Appthority’s MTT. The MTT also recently identified the HospitalGown vulnerability, which exposed a massive 43 terabytes of data (some of which was ransomed) on over 21,000 backend servers. And Appthority recently highlighted risks associated with platform services such as Uber, and the low adoption of encryption standards such as App Transport Security. These are just a few examples of data and privacy risks that require a thorough analysis of mobile apps to identify mobile threats to enterprise data and privacy.
About Appthority Mobile Threat Research
Appthority’s Mobile Threat Team (MTT) monitors and investigates mobile risks that pose a direct threat to mobile enterprises. Their goal is to provide research that educates and informs enterprises looking to protect their people, data, devices, apps, and networks from mobile risks. The MTT is comprised of top mobile security researchers and threat analytics managers who use their experience and expertise to develop best-in-class research insights. The team prides itself on delivering unique, accurate and practical perspectives, as well as security solutions, that help our enterprise audience understand the most impactful threats and address mobile risks.
Appthority is a pioneer in enterprise mobile security and the leader in the Mobile Threat Defense category. The comprehensive Appthority Mobile Threat Protection (MTP) solution helps customers keep their data private and secure from mobile device, app and network threats. More Fortune 1000 companies trust Appthority to secure their enterprises from mobile threats because Appthority delivers best-in-class mobile threat protection and unparalleled enterprise visibility and control of mobile risks. With Appthority, security teams are informed, employees are productive and enterprise data is kept private and secure. Learn more at www.appthority.com.