App backend creds pose huge security risk

A group of German security researchers have discovered gaping holes in the backend provisioning systems used for app development, which could potentially leave user data and entire platforms at risk of compromise.

Known as BaaS (backend as a service), the feature means developers don't have to invest in and provision server-side solutions for data storage for apps.

Using BaaS, users can access their data across multiple devices and recover information if their smartphone is lost or destroyed.

Many Google Android and Apple iOS apps use hard-coded credentials for convenience when accessing BaaS providers. This is a dangerous practice that opens up app large amounts of sensitive data to interception by attackers, the researchers said.

The problem is substantial, the group of researchers wrote in their paper [pdf] presented at the European Blackhat security conference.

"We analysed over 2 million applications from the Google Play Store and alternative markets and found over 1000 backend credentials, many of them re-used in several applications," the researchers wrote.

"In total over all apps, we found that more than 18.6 million records with over 56 million individual data items were freely accessible."

The researchers built a fully-automatic exploit generator, HAVOC, to find embedded credentials and verifies them with the BaaS provider.

Popular BaaS providers globally include Parse.com, now owned by Facebook, CloudMine and Amazon Web Services.

The researchers found that all three provide security features that would allow for safe data storage, however, "their defaults are mostly alarmingly insecure".

App developers tend to accept the BaaS provider defaults, which means no user data protection such as access controls or encryption are applied. 

Due to a combination of developers picking the easy way out and weak security in BaaS providers, the scenario is susceptible to data manipulation, exploitation and misuse.

The researchers said they found "millions of verified email addresses, hundreds of employee and customer records, thousands of health records, and other highly privacy-sensitive data items", stored on servers.

Furthermore, some servers allow remote code execution, arbitrary storage misuse and permit data to be manipulated and deleted at will, the researchers found.

Even though developers should avail themselves of the security features offered up by BaaS providers, it would be too easy to just blame the coders for the serious security gaps.

BaaS providers should enforce access controls for developers instead of just granting them full access to everything, the researchers suggested, as a way of mitigating the problem.

Security configuration for BaaS provision must be simple for developers to understand, the researchers said. They criticised Amazon's IAM (Identity and Access Management) as being "too complex for the average developer to handle".

Apps that contain hardwired credentials should be rejected by app stores. Amazon's app store already checks for embedded credentials and warns developers about potential security issues, but it doesn't reject them.