November 18, 2015 By Shane Schick 2 min read

App developers love using backend-as-a-service (BaaS) companies to store and host the data they collect from users, but researchers recently warned the way they do so could be putting sensitive data in front of the prying eyes of cybercriminals.

(In)Security of Backend-as-a-Service,” a paper presented at the recent Black Hat Europe conference, showed how hard-coded credentials in many iOS and Android apps could be easily removed to provide access to sensitive data. As part of their study, the researchers published a tool called HAVOC to help spot apps where BaaS connections might introduce security risks. Close to 19 million records and 56 million pieces of data were discovered in a review of 2 million apps.

To some extent, the very ease of using BaaS services is the same reason they pose security threats. As Computerworld noted, app developers can quickly sign up and download a software development kit (SDK) to start using third-party providers to store information in the cloud and manage things like push notifications. The research revealed that there is a systemic mistake being made: using primary BaaS credentials as access keys. This puts cybercriminals much closer to sensitive data than they would hope to get otherwise.

For example, SecurityWeek reported that researchers were quickly able to see personally identifiable information such as dates of birth, phone numbers, email addresses and locations. Even worse, it’s possible for third parties to modify sensitive data they obtain through BaaS services depending on the kind of mobile app in use. This could open up even more security problems if attackers start to exploit these holes and tamper with financial transaction records, social media profile details and so on.

Of course, a lot of consumer mobile apps are made by independent developers. As more large companies and brands create apps for personal or even business use, they may approach BaaS offerings a little differently and use more security-focused default credentials that would protect sensitive data. In the meantime, The Register suggested that ongoing education for the developer community should become a priority for companies like Amazon and Facebook, as should vulnerability scanning before apps are submitted to app stores.

More from

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today