18,000 Android and iPhone apps leaking user data — what you need to know

Android apps
(Image credit: Lukmanazis/Shutterstock)

More than 18,000 Android and iOS apps are leaking their users' sensitive personal data from improperly secured cloud servers, Dallas-based security firm Zimperium has found.

The leaking information includes medical test results, session tokens for online banking and shopping websites and user photos, usernames, real names, phone numbers, email addresses and street addresses. Details of server configurations, online payment systems, airport transportation systems, encryption keys and even blank bank checks were also exposed.

"Our analysis revealed a number of significant issues that exposed PII [personally identifiable information, i.e. sensitive data], enabled fraud and/or exposed IP or internal systems and configurations," wrote Zimperium's Chilik Tamir in a report released Thursday (March 4).

With nothing but a browser and command-line tools, anyone who knew where to look could access this exposed data without having to guess a password. For that reason, Zimperium isn't naming any names here, but the report does say that among the guilty parties are a "major game app," "social media apps," a "Fortune 500 mobile wallet," a "major online retailer" and a "major music service."

"It's a disturbing trend," Zimperium CEO Shridhar Mittal told Wired's Lily Hay Newman. "Most of us have some of these apps right now."

Forgetting to lock the door

Many smartphone apps rely on cloud databases to hold user data. Whether you're streaming Netflix, checking social media or email or playing a multiplayer game, the app you're using is just the front end of a huge online repository on a server that's often leased from Amazon, Google or Microsoft.

Yet Amazon, Google or Microsoft don't go around and make sure each and every one of their cloud-computing clients have properly secured their databases. It's up to the clients to do so, and many don't do a good job. They're like someone opening up a boutique storefront while forgetting to lock the back door into the alley.

"The process of securing these cloud containers used by mobile applications tends to be overlooked by app developers while the impact of a misconfigured cloud container on the app developer, their business and their users can be extremely high," said the Zimperium report.

More than 1 in 8 fail to secure the back end

Mittal told Wired that Zimperium researchers analyzed 1.3 million smartphone apps and found about 130,000 that used leased cloud servers to power their back ends.

Of these apps, about 14% — nearly 12,000 Android apps and more than 6,500 iOS ones — "had unsecure configurations and were vulnerable to the risks described in this post," as the Zimperium report states.

Mittal told Wired that his company had been trying to reach out to the app owners and developers to notify them of the flaw, but that there's often little or no response.

Unfortunately, without knowing which apps are behaving badly, there's no specific action that the user can take to protect against sensitive data leaks. All you can do is try to limit the amount of information about yourself that you put online, though that's often an impossible battle considering how much data apps and websites hoover up without your permission.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.