Submitted via IRC for SoyCow7671
Researchers: Cloud Services Compromise Mobile Apps
Cloud-based back-end services are letting mobile app developers down, according to research(pdf) announced this week. Even when app developers are careful about their own code, the online services that they use introduce vulnerabilities on a regular basis.
The research, from the Georgia Institute of Technology and The Ohio State University, studied the top 5,000 apps on the Google Play Store. It found that between them, they were using 6,869 server networks across the world.
They scanned cloud-based back-ends and found 1,638 vulnerabilities, of which 655 were zero-days not listed in the National Vulnerability Database. These included SQL injection, cross-site scripting and external XML entity attacks. Some of the apps affected had over 50 million installations, according to their paper.
Mobile apps access back-end services using third-party software-development kits (SDKs) and APIs. Developers use some of them explicitly, but many others are hidden in imported third-party libraries. The apps that use these services communicate with them invisibly. Users don't know what the services are doing or exactly which servers their phones are talking with when their apps fetch content and advertisements.
[...]The researchers scanned the apps with a tool called SkyWalker, which they will soon make available for app developers to audit the cloud-based tools that they are building into their apps.
They will present their findings at the USENIX Security Symposium in Santa Clara, California, which runs August 14–16, 2019.
(Score: 3, Insightful) by PiMuNu on Friday August 16 2019, @08:49AM (1 child)
The users don't know what their hardware is talking to, but this is by design. However, not even the developers know what their software is talking to. And it is *all* riddled with vulnerabilities.
(Score: 2) by Bot on Friday August 16 2019, @09:33AM
Well what do devs expect? You are developing custom software for a portable telescreen, after all.
Account abandoned.
(Score: 0) by Anonymous Coward on Friday August 16 2019, @10:02AM
If you use random 3rd party code.....
(Score: 3, Insightful) by deimios on Friday August 16 2019, @10:46AM (1 child)
Yeah I'd trust a mobile app developer to make the network communication secure instead of a team of engineers at a cloud provider that are specialized in network security.
Ok, so the cloud providers mess up too, but I'd still trust them more than a mobile developer, since they are actually incentivized to make their platform secure.
(Score: 2) by HiThere on Friday August 16 2019, @06:04PM
"mess up" is probably often the correct description. But I would wager that a non-trivial number of those vulnerabilities are better described as "back doors".
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by DannyB on Friday August 16 2019, @02:39PM (1 child)
Could a lot of those cloud services used by apps be for spying and advertising? (i'm not sure which is worse, at least spying is more honest about what it is.)
The lower I set my standards the more accomplishments I have.
(Score: 2) by DannyB on Friday August 16 2019, @02:40PM
OH, and malware distribution!
The lower I set my standards the more accomplishments I have.