Issued on • Modified
Coding errors in 685 mobile-apps leave 180 million smartphone users vulnerable
Up to 180 million smart phone users may have some of their text messages and calls intercepted by hackers because of a coding error that affects at least 685 mobile apps cyber security experts say.
Developers have mistakenly coded credentials for accessing services provided by Twilio Inc, allowing hackers to access personal credentials by reviewing the code in the apps, then gain access to data sent over those services.
Loggings, pawwsords compromised
The sheer number of apps affected by this is quite significant according to cyber security experts.
As a result it is likely that hackers have access to loggins and passwords, the cyber equivalent of handing them the keys to your house.
Another worrying aspect, experts say, is that we do not even have the complete list of the apps, so no one eally knows whether they may be hacked or not.
It really depends on the types of application that have been affected.
"Some of the claims of the security company are that call recordings, the content of call recordings could be accessed, which is quite concerning from a privacy point of view," says David Rogers, the CEO of Copperhorse, which provides consultancy for mobile security.
"But really in terms of the impact, Twilio have said that they're going to act very quickly to revoke the apps that have been affected and so the window of opportunity for malicious hackers is very small."
Rogers adds that we do not know how long this has been open, some saying it might have been the case since 2011.
"And that is of some concern. So Twilio really need to give some confidence to users and those app developers need to give confidence to their users that they haven't been exposed for nearly six years."
And the problem is it is not only about the users of the apps themselves, but it goes beyond this.
"If you've been hacked, you've been hacked," says Caroline Borriello from Pradeo, a company which provides mobile security solutions to master applications security.
"The thing is, this is not only the users that have been hacked, it's not the number of users that have been leaked, but it's the people these apps users have called or have sent text messages to, using the Twilio server that have been leaked.
"So people don't know at the end of the day, because people that have been called might not be aware they've been called through this server and that maybe their data is at risk."
"Once you download the application, it's like when you open all the doors to your house, because you are letting the application do want it wants," says Nicolas Arpagian, the Academic Director of the "CyberSecurity Programme" at France's National Institute for Security.
"For instance, once you have an app on your smartphone, and I'm talking about legitimate applications, they are already doing some bizarre things, like taking some elements of your address book, like, looking at where you are, looking at all the information inside your smartphones."
Arpagian says that already implies strong actions against your privacy.
"But when someone is delibarately doing that, who wants to hack your phone, he has access to everything concerning your contacts, your pictures, all the things that you have in your smartphone. This is a very deep way of hacking personal lives of individuals."
Moreover, experts say it is crucial for companies that develop the apps to be more careful.
"There is a lack of transparency. We know now, we are convinced that Google and Apple do not perform technical checks before releasing an application," according to Eric Filiol, the head of Operational Cryptography and Computer Virology lab in France.
"We know that developers are not very efficient at secure programing, they don't use proper tools. In fact, they lust develop so quickly, because there is some sort of pressure, not to say hysteria, in application development, that in fact, all the security aspects, all the security checks are no longer performed.
"So basically, one needs to be extra cautious regarding the apps one downloads, make sure it is from a known website - but even then, there's no guarantee - and try not to rely too much on our smartphones.