November 9, 2017 by

App Coding Error Leaves 180 Million Smartphones Vulnerable to Data Theft

A simple coding error in at least 685 mobile applications has left up to 180 million smartphone owners at risk of having their text messages and calls intercepted by hackers, security researchers have discovered.

According to cybersecurity firm Appthority, app developers have mistakenly coded credentials for accessing services provided by communications software provider Twilio. Fundamentally, hackers could review the code in the apps to gain access to those credentials before free reign over looking into data sent over those services.

The vulnerability puts the spotlight on an increasingly common problem posed by third-party services that allow mobile applications to feature functions like audio calls and text messaging. Back-end services like Twilio are particularly attractive to hackers as app developers commonly reuse their accounts to build and release multiple apps.

As reported by Reuters, Appthority’s director of security research Seth Hardy said:

This isn’t just limited to Twilio. It’s a common problem across third-party services. We often notice that if they make a mistake with one service, they will do so with other services as well.

Multiple apps use Twilio to make phone calls and send text messages among other services. If hackers login to the developer accounts, they will gain access to users’ data. Hardy went on to confirm that the critical errors are to be blamed on app developers rather than Twilio.

In a survey of 1,100 apps, the security firm discovered that 685 vulnerable apps were linked to 85 affected Twilio accounts. Fundamentally, the theft of credentials from one app’s Twilio account could expose users of up to eight other apps.

For its part, Twilio warns developers that leaving credentials within their apps would expose their accounts to hackers. The company moved to confirm that no evidence had been uncovered of hackers using credentials coded into related apps to access customer data. The firm also insists that it is working with developers to change credentials on vulnerable accounts.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Hackers Stole $172 Billion from 978 Million People in 2017

According to a new report by cybersecurity firm Norton, as many as 978 million people from 20...

Read more arrow_forward

Chrome, Firefox Extensions Block their Own Removal to Hijack Browsers

Security researchers have discovered malicious Chrome and Firefox extensiosn that block their own...

Read more arrow_forward

US Hospital Coughs Up $55,000 to Hackers after Ransomware Attack

A ransomware attack targeting a hospital in Greenfield, Indiana, has seen hackers make away with...

Read more arrow_forward