November 9, 2017 by

App Coding Error Leaves 180 Million Smartphones Vulnerable to Data Theft

A simple coding error in at least 685 mobile applications has left up to 180 million smartphone owners at risk of having their text messages and calls intercepted by hackers, security researchers have discovered.

According to cybersecurity firm Appthority, app developers have mistakenly coded credentials for accessing services provided by communications software provider Twilio. Fundamentally, hackers could review the code in the apps to gain access to those credentials before free reign over looking into data sent over those services.

The vulnerability puts the spotlight on an increasingly common problem posed by third-party services that allow mobile applications to feature functions like audio calls and text messaging. Back-end services like Twilio are particularly attractive to hackers as app developers commonly reuse their accounts to build and release multiple apps.

As reported by Reuters, Appthority’s director of security research Seth Hardy said:

This isn’t just limited to Twilio. It’s a common problem across third-party services. We often notice that if they make a mistake with one service, they will do so with other services as well.

Multiple apps use Twilio to make phone calls and send text messages among other services. If hackers login to the developer accounts, they will gain access to users’ data. Hardy went on to confirm that the critical errors are to be blamed on app developers rather than Twilio.

In a survey of 1,100 apps, the security firm discovered that 685 vulnerable apps were linked to 85 affected Twilio accounts. Fundamentally, the theft of credentials from one app’s Twilio account could expose users of up to eight other apps.

For its part, Twilio warns developers that leaving credentials within their apps would expose their accounts to hackers. The company moved to confirm that no evidence had been uncovered of hackers using credentials coded into related apps to access customer data. The firm also insists that it is working with developers to change credentials on vulnerable accounts.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Hackers Develop Device to Unlock Every Room in 140,000 Hotels in Under a Minute

A pair of security researchers who work for Finnish privacy and cybersecurity firm F-secure have...

Read more arrow_forward

Croatian Police Arrest Operator Behind Global DDoS Attack Platform Webstresser

Croatian police have confirmed the arrest of a 19-year old individual who is alleged to be operating...

Read more arrow_forward

Hackers Target X-Ray, MRI Machines in Healthcare Corporate Espionage

Cybersecurity researchers have identified a mysterious hacking group that has been targeting the...

Read more arrow_forward