November 9, 2017 by

App Coding Error Leaves 180 Million Smartphones Vulnerable to Data Theft

A simple coding error in at least 685 mobile applications has left up to 180 million smartphone owners at risk of having their text messages and calls intercepted by hackers, security researchers have discovered.

According to cybersecurity firm Appthority, app developers have mistakenly coded credentials for accessing services provided by communications software provider Twilio. Fundamentally, hackers could review the code in the apps to gain access to those credentials before free reign over looking into data sent over those services.

The vulnerability puts the spotlight on an increasingly common problem posed by third-party services that allow mobile applications to feature functions like audio calls and text messaging. Back-end services like Twilio are particularly attractive to hackers as app developers commonly reuse their accounts to build and release multiple apps.

As reported by Reuters, Appthority’s director of security research Seth Hardy said:

This isn’t just limited to Twilio. It’s a common problem across third-party services. We often notice that if they make a mistake with one service, they will do so with other services as well.

Multiple apps use Twilio to make phone calls and send text messages among other services. If hackers login to the developer accounts, they will gain access to users’ data. Hardy went on to confirm that the critical errors are to be blamed on app developers rather than Twilio.

In a survey of 1,100 apps, the security firm discovered that 685 vulnerable apps were linked to 85 affected Twilio accounts. Fundamentally, the theft of credentials from one app’s Twilio account could expose users of up to eight other apps.

For its part, Twilio warns developers that leaving credentials within their apps would expose their accounts to hackers. The company moved to confirm that no evidence had been uncovered of hackers using credentials coded into related apps to access customer data. The firm also insists that it is working with developers to change credentials on vulnerable accounts.

Image credit: Pexels.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

UK Includes Digital Forensics in £20 Million Cybersecurity Program for Schools

The UK Government has launched a £20 million initiative to encourage school children to enter a...

Read more arrow_forward

Banking Malware Spin-Off Targets Twitter, Facebook Accounts

A sophisticated strain of malware based on the Zeus trojan has been discovered monitoring and...

Read more arrow_forward

UK Cybersecurity Chief Blames Russia for Cyberattacks

The head of the UK GCHQ’s National Cyber Security Centre (NCSC) has accused Russia of staging...

Read more arrow_forward