App developers love using backend-as-a-service (BaaS) companies to store and host the data they collect from users, but researchers recently warned the way they do so could be putting sensitive data in front of the prying eyes of cybercriminals.

“(In)Security of Backend-as-a-Service,” a paper presented at the recent Black Hat Europe conference, showed how hard-coded credentials in many iOS and Android apps could be easily removed to provide access to sensitive data. As part of their study, the researchers published a tool called HAVOC to help spot apps where BaaS connections might introduce security risks. Close to 19 million records and 56 million pieces of data were discovered in a review of 2 million apps.

To some extent, the very ease of using BaaS services is the same reason they pose security threats. As Computerworld noted, app developers can quickly sign up and download a software development kit (SDK) to start using third-party providers to store information in the cloud and manage things like push notifications. The research revealed that there is a systemic mistake being made: using primary BaaS credentials as access keys. This puts cybercriminals much closer to sensitive data than they would hope to get otherwise.

For example, SecurityWeek reported that researchers were quickly able to see personally identifiable information such as dates of birth, phone numbers, email addresses and locations. Even worse, it’s possible for third parties to modify sensitive data they obtain through BaaS services depending on the kind of mobile app in use. This could open up even more security problems if attackers start to exploit these holes and tamper with financial transaction records, social media profile details and so on.

Of course, a lot of consumer mobile apps are made by independent developers. As more large companies and brands create apps for personal or even business use, they may approach BaaS offerings a little differently and use more security-focused default credentials that would protect sensitive data. In the meantime, The Register suggested that ongoing education for the developer community should become a priority for companies like Amazon and Facebook, as should vulnerability scanning before apps are submitted to app stores.