BILLIONS OF SMARTPHONE USERS' personal data is at risk after researchers uncovered a Heartbleed-like vulnerability in some of the "most popular" Android and iOS apps.
Researchers from Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology told Reuters about the vulnerability after discovering 56 million items of unprotected data in the applications that were studied. These included games, social networks, messaging, medical and banking apps.
The German researchers didn't name the apps in question, but said they include some of the most popular on the Apple and Google app stores.
The flaw exposes passwords, addresses, access codes and location data, but the researchers found no evidence that the vulnerability had been exploited.
"In almost every category we found an app which has this vulnerability," said Siegfried Rasthofer, part of the research team, warning that the number of records at risk is likely to "be in the billions".
Eric Bodden, leader of the research team, likened the vulnerability to Heartbleed, while other security researchers said that it might be worse as it is easy to exploit and there is little app users can do about it.
"The amount of effort to compromise data by exploiting app vulnerabilities is far less than the effort to exploit Heartbleed," Toshendra Sharma, founder of Mumbai-based mobile security company Wegilant, said in a statement to Reuters.
Bodden blames the flaw on the way developers authenticate users when storing their data in online databases. Most choose the default authentication token option based on a string of letters and numbers embedded in the software's code.
Winston Bond, European technical manager at Arxan Technologies, said in a statement sent to The INQUIRER: "We know developers are under increasing pressure to quickly deliver new or updated applications which are feature rich, but this means security continues to be pushed to the side.
"The majority of the time, developers have relied on the default settings available, making an assumption they will be sufficient, or they copy directly from an existing sample app that does not address the unique vulnerabilities associated with mobile applications and the data they manage.
"To stop these kinds of vulnerabilities and flaws occurring, more robust protections need to be inserted directly into the app at the binary level. Without this level of protection, apps are at risk because it’s easy for a hacker to reverse engineer binary code back to source code."
Apple told the researchers in response to the findings that the company will soon incorporate warnings to developers to double check security settings before uploading apps to the App Store.
Google declined to comment. µ
Another week of Google news in brief
It was nice knowing you, sort of
Third time unlucky
Customers are unable to make payments or transfer money