Heartbleed-like security flaw found in thousands of top Android and iOS apps
German security experts have found a flaw in the way mobile apps store data that leaves users’ personal information exposed to hackers.
Researchers identified 56 million pieces of unprotected data in the applications, which include gaming, banking and messaging services.
Siegfried Rasthofer, one of the researchers at the Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology, said: “In almost every category we found an app which has this vulnerability in it.”
Fellow researcher Eric Bodden further said that the number of exposed records could likely be in the billions.
The team of experts did not disclose the names of applications affected, but said that the list includes some of the most popular apps on the Google and Apple stores.
The flaw is likened to last year’s heartbleed bug which saw an OpenSSL flaw leaving hundreds of thousands of websites vulnerable to hacking.
Bodden said that the problem is in the way developers authenticate users when their data is stored online.
Developers can use cloud services such as Amazon Web Services to store and share user data, which usually protects the information. But some developers are choosing the default option of using numbers and letters within the app’s software code to create a token, which leaves the apps open to attackers as the tokens can be easily exploited.
However, the researchers said there is no known case of attackers using the exploit to date, but other experts have warned that the vulnerability is easily exploitable.
“The amount of effort to compromise data by exploiting app vulnerabilities is far less than the effort to exploit Heartbleed,” Toshendra Sharma, founder of India mobile security firm Wegilant, told Reuters.