Coding error puts 180 mn smartphones to hacking risk

10 Nov 2017

A simple coding error in at least 685 mobile apps has put up to 180 million smart phone owners are at risk of having some of their text messages and calls intercepted by hackers Appthority, a mobile security firm warned yesterday.

According to Appthority's director of security research, Seth Hardy, developers mistakenly coded credentials for accessing services provided by Twilio Inc. Those credentials could be accessed by hackers by reviewing the code in the apps and then gain access to data sent over those services, he said. Twilio is a San Francisco-based cloud communications platform as a service company.

According to commentators, the findings point to new threats posed by the increasing use of third-party services such as Twilio that provide mobile apps with functions like text messaging and audio calls. Security vulnerabilities could be inadvertently introduced by developers if they did not properly code or configure such services.

''This isn't just limited to Twilio. It's a common problem across third-party services,'' Reuters reported quoting Hardy. ''We often notice that if they make a mistake with one service, they will do so with other services as well.''

Meanwhile Appthority said in a press release, ''Today, Appthority, the global leader in enterprise mobile threat protection, published research on its recent discovery of the Eavesdropper vulnerability, which has resulted in a large-scale data exposure. Eavesdropper is caused by developers carelessly hard coding their credentials in mobile applications that use the Twilio Rest API or SDK, despite best practices the company clearly outlines in its documentation. Twilio has reached out to all developers with affected apps and is actively working to secure their accounts.

''An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data.''

Appthority security researchers have identified this as a real and ongoing threat affecting nearly 700 apps in enterprise mobile environments, over 170 of which are live in the official app stores today. Affected Android apps alone have been downloaded up to 180 million times.''