Mobile-app errors expose data on 180 million phones: security firm


Reuters | Published: November 10, 2017 11:42:54 | Updated: November 11, 2017 15:26:53


A banner for communications software provider Twilio Inc hangs on the facade of the New York Stock Exchange (NYSE) to celebrate the company's IPO in New York City, US, June 23, 2016. Reuters

A simple coding error in at least 685 apps put millions of smartphone users at risk of having some of their calls and text messages intercepted by hackers, cyber-security firm Appthority warned on Thursday.

Developers mistakenly coded credentials for accessing text messaging, calling and other services provided by Twilio Inc (TWLO.N), said Appthority’s director of security research, Seth Hardy. Hackers could access those credentials by reviewing the code in the apps, then gain access to data sent over those services, he said.

Affected apps include the AT&T Navigator app pre-installed on many Android phones and more than a dozen GPS navigation apps published by Telenav Inc (TNAV.O). Such apps have been installed as many as 180 million times on Android phones and an unknown number of times on Apple’s iOS-based devices.

Shares of Twilio slid nearly 7 per cent after the Appthority report. Hackers covet Twilio credentials because they are used in a variety of apps that send text messages, process phone calls and handle other services. Hackers could access related data if they log into a developer’s Twilio account, Hardy said.

Appthority, cautious not to tip off potential hackers, did not list all the apps that could be vulnerable. Twillio’s website says its users include Uber Technologies Inc and Netflix Inc. However, large companies like those typically have security reviews that catch common coding errors like the one Appthority described.

There was no indication that Uber or Netflix (NFLX.O) were affected by the problem.

The findings highlight new threats posed by the increasing use of third-party services such as Twilio, which says on its website that it powers communications for more than 40,000 businesses worldwide. Developers can inadvertently introduce security vulnerabilities if they do not properly code or configure such services.

“This isn’t just limited to Twilio. It’s a common problem across third-party services,“ Hardy said. ”We often notice that if they make a mistake with one service, they will do so with other services as well.”

Appthority said it also warned Amazon.com Inc (AMZN.O) that it had found credentials for at least 902 developer accounts with cloud-service provider Amazon Web Services in a scan of 20,098 different apps.

Those credentials could be used to access app user data stored on Amazon, Hardy said.

A representative with Amazon declined comment.

One problem with third-party services is that developers often use the same account across multiple apps, similar to how consumers might use one email address for a variety of financial services and can have fraud problems at all of them if hackers compromise that single email account.

Appthority found Twilio credentials exposed in a now-defunct version of the AT&T Navigator mapping and GPS app. The AT&T app was a re-branded version of an app originally built by Telenav.

Appthority found that newer versions of the AT&T app appeared to be safe, but data sent over them could still be at risk if the developer of a related app is still using the same Twilio account. It said the same Twilio credentials were found coded in more than a dozen other Telenav apps.

AT&T (T.N) and Telenav could not immediately be reached for comment.

The mistakes were caused by developers, not Twilio, Hardy said. Twilio’s website warns developers that leaving credentials in apps could expose their accounts to hackers.

Twilio spokesman Trak Lord said the company has no evidence that hackers used credentials coded into apps to access customer data but was working with developers to change credentials on affected accounts.

The Twilio vulnerability only affects calls and texts made inside of apps that use its messaging services, including some business apps for recording phone calls such as Wrappup and RingDNA, according to Appthority’s report. Wrappup an RingDNA could not immediately be reached for comment.

In a survey of 1,100 apps, Appthority found 685 problem apps that were linked to 85 affected Twilio accounts. That suggests the theft of credentials for one app’s Twilio account could pose a security threat to all users of as many as eight other apps.

Twilio’s shares closed down 6.8 per cent at $25.93. Shares had rallied in pre-market trading after Twilio beat revenue expectations and raised its revenue forecast during an earnings report after the markets closed on Wednesday.

Share if you like