App Coding Error Leaves 180 Million Smartphones Vulnerable to Data Theft

A simple coding error in at least 685 mobile applications has left up to 180 million smartphone owners at risk of having their text messages and calls intercepted by hackers, security researchers have discovered.

According to cybersecurity firm Appthority, app developers have mistakenly coded credentials for accessing services provided by communications software provider Twilio. Fundamentally, hackers could review the code in the apps to gain access to those credentials before free reign over looking into data sent over those services.

The vulnerability puts the spotlight on an increasingly common problem posed by third-party services that allow mobile applications to feature functions like audio calls and text messaging. Back-end services like Twilio are particularly attractive to hackers as app developers commonly reuse their accounts to build and release multiple apps.

As reported by Reuters, Appthority’s director of security research Seth Hardy said:

This isn’t just limited to Twilio. It’s a common problem across third-party services. We often notice that if they make a mistake with one service, they will do so with other services as well.

Multiple apps use Twilio to make phone calls and send text messages among other services. If hackers login to the developer accounts, they will gain access to users’ data. Hardy went on to confirm that the critical errors are to be blamed on app developers rather than Twilio.

In a survey of 1,100 apps, the security firm discovered that 685 vulnerable apps were linked to 85 affected Twilio accounts. Fundamentally, the theft of credentials from one app’s Twilio account could expose users of up to eight other apps.

For its part, Twilio warns developers that leaving credentials within their apps would expose their accounts to hackers. The company moved to confirm that no evidence had been uncovered of hackers using credentials coded into related apps to access customer data. The firm also insists that it is working with developers to change credentials on vulnerable accounts.

Image credit: Pexels.