As many as 180 million smartphone users are at risk of having texts and calls hijacked by hackers – all due to a simple coding error in at least 685 different mobile apps. A warning was released by the cybersecurity firm Appthority late last week. According to Appthority, the vulnerability (known as Eavesdropper) could let hackers inside an app to access confidential knowledge, without the user knowing.
Developers accidentally coded the credentials needed to access services by Twilio, including its text messaging and calling services. For hackers, this coding error made it essentially as simple as reviewing the code in the apps to discover the credentials, then gaining access to the data sent over those vulnerable apps.
Based on Appthority’s report (which you can read here) Eavesdropper has been present since 2011 and requires only three steps to achieve; “reconnaissance, exploitation, and exfiltration”.
Twilio is known to provide communication services for more than 40,000 businesses and the Eavesdropper vulnerability only affects calls and texts made from inside the vulnerable apps. The affected apps include multiple GPS apps by Telenav and the AT&T Navigator app which tends to come pre-installed on Android devices. As of writing this post, the affected apps in total have been installed an estimated 180 million times on Android devices (the number of times on iOS devices is still unknown).
The security researchers confidentially reported the bug to the affected companies, and many of the apps have since been removed from the Play Store/App Store and have been patched.
How To Prevent This From Happening To You
This vulnerability is a prime example of how developers can unintentionally introduce security vulnerabilities to an application due to something as ‘simple’ as a coding error. Additionally, this vulnerability serves as a great example to how a company can prevent such a vulnerability from exposing their app with something as ‘simple’ as regular security checks.
An application’s security also, in part, lies in the developer’s’ hands. Development teams need to be vigilant and code securely to help ensure their apps are vulnerability-free. The results of the SANS 2016 State of Application Security survey show us that when it comes to application security, the lack of application security skills, tools, and methods is one of the biggest challenges companies face today. Among those skills lacking, a big gap is with the developer’s secure coding knowledge. Traditional secure coding educational courses are considered to be boring, time consuming, and don’t always address the unique and precise challenges developers face – so, it’s no wonder why coding errors sometimes make their way into an app’s code and blossom into vulnerabilities.
However, when it comes to developer secure coding training – Codebashing is a solution which provides easy, bite-sized, quick and in-context training sessions based on an imminent problem. You can try Codebashing for free by clicking here.
In addition to empowering developers with the best secure coding tools possible, it’s critical to have a source code analysis tool in your own arsenal.
Static Application Security Testing (SAST) is an effective method of scanning an application’s source code to detecting vulnerabilities very early in SDLC. SAST’s main job is to analyze an app’s source code to find the evil threats lurking inside of the code. By applying security and preventing vulnerabilities from the very start of a development lifecycle and by incorporating security throughout the SDLC paired with strong and stable secure coding practices, you can ensure that you will be putting your best application forward and the chance of falling victim for a vulnerability as the Eavesdropper is as unlikely as possible.
- Is Your Child’s Data Safe From The Man In The Middle?
- South Africa’s Biggest Data Breach: What You Need To Know
Latest posts by Arden Rubens (see all)
- Uses CxSAST to Develop Secure Software - May 17, 2018
- CxSAST for Amazon Web Services - May 15, 2018
- Amazon’s Alexa could be tricked into snooping on users, say security researchers - May 7, 2018