App developers love using backend-as-a-service (BaaS) companies to store and host the data they collect from users, but researchers recently warned the way they do so could be putting sensitive data in front of the prying eyes of cybercriminals.

(In)Security of Backend-as-a-Service,” a paper presented at the recent Black Hat Europe conference, showed how hard-coded credentials in many iOS and Android apps could be easily removed to provide access to sensitive data. As part of their study, the researchers published a tool called HAVOC to help spot apps where BaaS connections might introduce security risks. Close to 19 million records and 56 million pieces of data were discovered in a review of 2 million apps.

To some extent, the very ease of using BaaS services is the same reason they pose security threats. As Computerworld noted, app developers can quickly sign up and download a software development kit (SDK) to start using third-party providers to store information in the cloud and manage things like push notifications. The research revealed that there is a systemic mistake being made: using primary BaaS credentials as access keys. This puts cybercriminals much closer to sensitive data than they would hope to get otherwise.

For example, SecurityWeek reported that researchers were quickly able to see personally identifiable information such as dates of birth, phone numbers, email addresses and locations. Even worse, it’s possible for third parties to modify sensitive data they obtain through BaaS services depending on the kind of mobile app in use. This could open up even more security problems if attackers start to exploit these holes and tamper with financial transaction records, social media profile details and so on.

Of course, a lot of consumer mobile apps are made by independent developers. As more large companies and brands create apps for personal or even business use, they may approach BaaS offerings a little differently and use more security-focused default credentials that would protect sensitive data. In the meantime, The Register suggested that ongoing education for the developer community should become a priority for companies like Amazon and Facebook, as should vulnerability scanning before apps are submitted to app stores.

More from

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

How I Got Started: White Hat Hacker

3 min read - White hat hackers serve as a crucial line of cyber defense, working to identify and mitigate potential threats before malicious actors can exploit them. These ethical hackers harness their skills to assess the security of networks and systems, ultimately helping organizations bolster their digital defenses. But what drives someone to pursue a career as a white hat hacker, and how do you get started in leveraging so-called “evil” skills for the greater good?? In this exclusive Q&A, we spoke with…

3 min read

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read