Millions of smartphone owners are vulnerable to having their text messages and calls accessed by hackers thanks to a coding error in hundreds of iOS and Android mobile apps.
Enterprise mobile security vendor Appthority scanned 1100 apps that use a communications application programming interface (API) marketed by Twilio, and discovered that in many cases developers had hard-coded log in credentials with their user names and passwords into their code.
It effectively gives anyone access to the large amounts of sensitive user data stored within the developers' Twilio accounts.
This includes hundreds of millions of call records, audio recordings, and short messaging service and multimedia text messages, Appthority said.
The firm also noted that attackers who intercept SMS and MMS messages could bypass a user's two-factor authentication by capturing the challenge and response codes used for log-ins and password resets, sent over mobile telco networks.
It found 685 free and paid apps to be affected by the coding error. It also discovered 85 compromised Twilio developer accounts.
One-third of the identified vulnerable apps are business related and have been downloaded and installed hundreds of millions of times, Appthority said.
It labelled the leak the "largest active enterprise data leak from a mobile app" discovered to date.
Appthority first discovered what it has termed the 'Eavesdropper' vulnerability in April and notified Twilio in July.
At the end of August 75 of the affected apps remained on the Google Play store and 102 were on Apple's app store.
The affected Android apps had been downloaded up to 180 million times, Appthority said.
iTnews has contacted Twilio for comment on the matter. The blame for the vulnerability lies squarely with developers not following Twilio's security best practice, Appthority said.
The firm noted that the vulnerability has been around since at least 2009. Developers have issued updates for some of the vulnerable apps to remove the Twilio credentials.
However, the fix for the vulnerability is incomplete, as developers in most cases have not changed the Twilio API login tokens and access IDs, which still leave the accounts wide open to anyone who can extract credentials from earlier versions of apps.