Technische Universität Darmstadt and Fraunhofer SIT have investigated cloud databases like Facebook’s Parse and Amazon’s AWS and found 56 million sets of unprotected data. The researchers found email addresses, passwords, health records and other sensitive information of app users, which may be easily stolen and often manipulated. App developers use cloud databases to store user data but apparently ignore the security recommendation given by the Cloud providers. As a result, many user accounts are threatened by identity theft and other cybercrimes. Read the full press release here.
App Data Vulnerability Threatens Millions of Users
Eric | May 27, 2015SSE Group Detects Massive Data Leaks in Apps using Backend-a-a-Service
Eric | May 27, 2015With the help of CodeInspect, Appicaptor and an internally developed tool, researchers from TU Darmstadt and Fraunhofer SIT have found that many mobile applications store private information in the cloud, in an easily accessible manner.
Many users of mobile applications want their data to be synced across multiple platforms (iOS/Android/Windows/OSX/…). For app developers it is typically hard to support synchronization, as they need to set up backend servers on which the data can be stored and synchronized. Cloud providers such as Amazon and Parse.com therefore provide backends as a service (BaaS). With BaaS, app developers can simply connect to pre-configured servers using a few lines of program code. This makes data storage and synchronization through the cloud very easy. Some apps use BaaS to share public data, which is ok as long as the data is configured to be read-only. Many apps, however, use BaaS also to store confidential data such as user names, email addresses, contact information, passwords and other secrets, photos and generally any kind of data one can think of. Such data should only be accessible to the individual app user who stored the data. The researchers found more than 56 million sets of unprotected data, including email addresses, passwords, health records and other sensitive information of app users, which may be easily stolen and often manipulated. Read the official release here.
Cross-posted from SEEBlog
Slides and Live-Demo about CodeInspect from the CARO 2015 workshop are online
Eric | May 13, 2015We gave a talk about CodeInspect at the CARO 2015 workshop in Hamburg. The slides and the live-demo (video) are available here: https://goo.gl/LblcR5
The main elements of the CodeInspect demo are:
- Jimple manipulation
- Interactive debugging
- Hyperlinks in XML files (e.g., layout.xml or AndroidManifest.xml)
- Java Source Code Enhancement
If you are interested in further videos about CodeInspect, you can find them here: http://sseblog.ec-spride.de/2014/12/codeinspect/
Enjoy!
Cross-posted from SEEBlog