Voice, text, and data from apps using Twilio and Amazon S3 vulnerable to third party access.
Appthority has recently discovered a vulnerability we’ve named Eavesdropper, caused by including unsecured credentials in mobile applications that are using the Twilio Rest API or the Twilio SDK. Via its REST API or SDK, Twilio enables mobile apps to make, receive and control audio calls; send and receive SMS, and chat messages, and use two-factor authentication.
We’ve called this vulnerability Eavesdropper because providing the Twilio account ID and Twilio account token (password) hardcoded in the app creates a vulnerability that exposes call record metadata, recorded call audio, as well as text messages. The accessible records are not limited to those of the user of the vulnerable app, but include all records associated with the developer’s Twilio account for that app and other apps created by that developer. We believe this is likely the largest active enterprise data leak from a mobile app vulnerability discovered to date.
Text messages observed from vulnerable apps include one time verification codes, passwords for ‘secure’ file transfers, location tracking of users, and other PII. Twilio warns users in its public documentation against hard coding credentials in their apps due to this risk.
Amazon S3 Cloud Storage
During the investigation of Eavesdropper, Appthority researchers noticed that apps with the vulnerability often made the same mistake with many other services. One of the most prominent third party services used is S3 (Structured Storage Service), Amazon’s cloud storage solution. With S3, developers can provision “buckets”, file storage locations hosted in Amazon’s cloud.
This data exposure is much larger than just the mobile app’s resources. S3 bucket names are globally unique, encouraging them to be descriptive, and usually limited to 100 per account, which often leads to data not being properly compartmentalized. Based on the names of the buckets, credential leakage often exposes information including the developers’ Amazon infrastructure and network resources, including company information such as customers and sales data through database backups. The mobile app vulnerability, in many cases, opens the door to a company’s entire hosted network.
Appthority has reported the exposure discovery to Twilio and Amazon and both companies are working to secure the affected accounts
- More than 1,100 apps which use Twilio were analyzed, almost evenly split between Android and iOS platforms, with 685 apps vulnerable and 85 developer Twilio accounts compromised
- Vulnerable Android apps alone have between 40 and 180 million installs
- Many apps are still available on official app stores, including 75 on Google Play and 102 on the App Store
- 33% of apps by install are business related
- The oldest live Twilio account affected is from 2011, and the oldest iOS app affected is from 2009
- The scope of the data leak exposes hundreds of millions of call records, minutes of calls and audio recordings, and text messages.
For Amazon S3 file storage:
- 40% of Eavesdropper affected apps also have Amazon credentials exposed
- Two of the case study apps from the Eavesdropper Mobile Threat Report are also vulnerable to Amazon data leakage
- In total, we observed the credentials for 2,030 Amazon accounts in 20,098 apps
- 902 of these accounts are active, allowing access to list 21,866 live data storage buckets
- 583 buckets have names that indicate database backups for servers running MySQL, CassandraDB, Couchbase, DynamoDB, Redis, MongoDB, Elastic Beanstalk, Elasticsearch, and Atlassian software
At time of discovery, over half of Appthority customers were impacted by Eavesdropper with many more affected by the Amazon S3 exposure. Appthority considers this an ongoing risk that is unlikely to see broad fixes. Longer term, we expect to continue to see new vulnerabilities along the lines of the HospitalGown and Eavesdropper exposures unless and until Apple and Google start vetting apps for these types of vulnerabilities.
Remediation of Eavesdropper and the related Amazon S3 data storage vulnerability is problematic for enterprises. Both rely on the understanding and cooperation of the app developers and require them to take multiple actions. To fix the problem, a developer must both update their apps to stop using hardcoded credentials, and also change the credentials that have been compromised. If the credentials are changed without an app update, it is very likely the app will stop working. If the credentials are removed but not changed, the future app versions will be susceptible to historical attacks. Unless all of a developer’s apps on all stores (iOS and Android) are updated at the same time, the risk remains. For Amazon S3, unlike Eavesdropper, the credentials may give a direct line into many additional assets hosted in Amazon’s cloud, requiring a far more substantial amount of work to secure those (supposedly) internal services.
The best approach for an enterprise is to identify the Eavesdropper or Amazon S3 vulnerable apps in their environment and determine whether the data exposed by the app is sensitive. If the messages, audio content, call metadata, or stored files turn out to be sensitive or proprietary there may not be much that can be done about exposed conversations resulting from prior use of the app. However, a lot that can be done to protect future exposures, including either addressing and confirming the fix with the developer or finding an alternate app that has the same or similar functionality without the Eavesdropper or Amazon S3 vulnerability. In all cases, the enterprise should contact the developer to have them delete exposed files.
Appthority customers have built-in protection for this vulnerability and recommend that they create policies to detect Eavesdropper and Amazon S3 exposure. In the Appthority legacy solution, you’ll find instructions here. In Appthority MTP, you’ll find instructions here.
We also recommend customers encourage employees to delete vulnerable apps and install non-Eavesdropper affected apps instead. Employees can also use the Appthority Mobile Threat Protection App to search the Apple App Store or Google Play for compliant apps to avoid a “hit and miss” approach to finding apps with messaging and recording capabilities that aren’t vulnerable to Eavesdropper.