SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow7671
Researchers: Cloud Services Compromise Mobile Apps
Cloud-based back-end services are letting mobile app developers down, according to research(pdf) announced this week. Even when app developers are careful about their own code, the online services that they use introduce vulnerabilities on a regular basis.
The research, from the Georgia Institute of Technology and The Ohio State University, studied the top 5,000 apps on the Google Play Store. It found that between them, they were using 6,869 server networks across the world.
They scanned cloud-based back-ends and found 1,638 vulnerabilities, of which 655 were zero-days not listed in the National Vulnerability Database. These included SQL injection, cross-site scripting and external XML entity attacks. Some of the apps affected had over 50 million installations, according to their paper.
Mobile apps access back-end services using third-party software-development kits (SDKs) and APIs. Developers use some of them explicitly, but many others are hidden in imported third-party libraries. The apps that use these services communicate with them invisibly. Users don't know what the services are doing or exactly which servers their phones are talking with when their apps fetch content and advertisements.
[...]The researchers scanned the apps with a tool called SkyWalker, which they will soon make available for app developers to audit the cloud-based tools that they are building into their apps.
They will present their findings at the USENIX Security Symposium in Santa Clara, California, which runs August 14–16, 2019.
(Score: 2) by Bot on Friday August 16 2019, @09:33AM
Well what do devs expect? You are developing custom software for a portable telescreen, after all.
Account abandoned.