Monday, November 20, 2017
Search
  
Submit your own News for
inclusion in our Site.
Click here...
Breaking News
AMD EPYC Processor Powers the New HPE Gen10 Server
Volvo to Supply Thousands of Self-driving Cars to Uber
Marvell Technology to Buy Cavium for $6 billion
Honor 7X is Official Coming with a FullView Display
Samsung Forecast to Top Intel as Larger Semiconductor Supplier in 2017
Samsung, LG Electronics Cut TV Prices for Black Friday
Toshiba's Board Approves $5 billion Injection to Stay Listed
LG Electronics Launches the ThinQ Hub AI Speaker
Active Discussions
Which of these DVD media are the best, most durable?
How to back up a PS2 DL game
Copy a protected DVD?
roxio issues with xp pro
Help make DVDInfoPro better with dvdinfomantis!!!
menu making
Optiarc AD-7260S review
cdrw trouble
 Home > News > Mobiles > Mobile ...
Last 7 Days News : SU MO TU WE TH FR SA All News

Thursday, November 09, 2017
Mobile App Vulnerability is Exposing Millions of Conversations


A significant data exposure vulnerability affects almost 700 apps in enterprise environments, and millions of smart phone owners are at risk of having some of their text messages and calls intercepted by hackers.

Cyber-security firm Appthority warned on Thursday that the vulnerability is caused by including hard coded credentials in mobile applications that are using the Twilio Rest API or SDK.
By hard coding their credentials, the developers have effectively given global access to all metadata stored in their Twilio accounts, including text/SMS messages, call metadata, and voice recordings. As a result, the vulnerability is called Eavesdropper.

The findings highlight new threats posed by the increasing use of third-party services such as Twilio that provide mobile apps with functions like text messaging and audio calls. Developers can inadvertently introduce security vulnerabilities if they do not properly code or configure such services.

Although Appthority has not extensively analyzed the recordings out of respect for privacy, due to the nature of the apps, they believe that the data may potentially include business and personal discussions such as negotiations, pricing discussions, confidential recruiting calls, proprietary product and technology disclosures, health diagnoses, market data, and M&A planning. A motivated attacker with automated tools to convert the audio to text and search for specific keywords will almost certainly be rewarded with valuable data.

Importantly, Eavesdropper does not rely on a jailbreak or root of the device, take advantage of a known OS vulnerability, or attack via malware. An Eavesdropper attack is possible simply because developers have failed to follow Twilio's documented guidelines for secure use of credentials and tokens and allowed theses apps to leak audio and message-based communications.

Appthority first discovered the Eavesdropper vulnerability in April, 2017 and notified Twilio in July about the exposed accounts. The research firm found the Eavesdropper vulnerability on over 685 enterprise apps (44% Android, 56% iOS) associated with 85 Twilio developer accounts. As of the end of August 2017, 75 of these apps were available on Google Play, and 102 were on the App Store. The affected Android apps had been downloaded up to 180 million times. Approximately 33% of the Eavesdropper apps found are business related. The exposure has been present since 2011.

Twilio spokesman Trak Lord said the company has no evidence that hackers used credentials coded into apps to access customer data but that it was working with developers to change the credentials on affected accounts.

The vulnerability only affects calls and texts made inside of apps that use messaging services from Twilio, including some business apps for recording phone calls, according to Appthority.

Appthority said it also warned Amazon.com that it had found credentials for at least 902 developer accounts with cloud-service provider Amazon Web Services in a scan of 20,098 different apps.



Previous
Next
Apple's Clips introduces Selfie Scenes for 360-degree selfies on iPhone X        All News        Toshiba's Profit Jumps on Strong Memory Demand
Apple's Clips introduces Selfie Scenes for 360-degree selfies on iPhone X     Mobiles News      Qualcomm Signs Memoranda of Understanding with Xiaomi, OPPO and Vivo

Get RSS feed Easy Print E-Mail this Message

Most Popular News
 
Home | News | All News | Reviews | Articles | Guides | Download | Expert Area | Forum | Site Info
Site best viewed at 1024x768+ - CDRINFO.COM 1998-2017 - All rights reserved -
Privacy policy - Contact Us .