Date
23 November 2017
Hackers covet Twilio credentials because they are used in a variety of apps that send text messages, process phone calls and handle other services. Photo: Reuters
Hackers covet Twilio credentials because they are used in a variety of apps that send text messages, process phone calls and handle other services. Photo: Reuters

Mobile-app errors expose data on 180 million phones

A simple coding error in at least 685 apps put millions of smartphone users at risk of having some of their calls and text messages intercepted by hackers, Reuters reports, citing cyber-security firm Appthority.

Developers mistakenly coded credentials for accessing text messaging, calling and other services provided by Twilio Inc., said Appthority’s director of security research, Seth Hardy. Hackers could access those credentials by reviewing the code in the apps, then gain access to data sent over those services, he said.

Affected apps include the AT&T Navigator app pre-installed on many Android phones and more than a dozen GPS navigation apps published by Telenav Inc. Such apps have been installed as many as 180 million times on Android phones and an unknown number of times on Apple’s iOS-based devices.

Hackers covet Twilio credentials because they are used in a variety of apps that send text messages, process phone calls and handle other services. Hackers could access related data if they log into a developer’s Twilio account, Hardy said.

Appthority, cautious not to tip off potential hackers, did not list all the apps that could be vulnerable. Twillio’s website says its users include Uber Technologies Inc. and Netflix Inc. However, large companies like those typically have security reviews that catch common coding errors like the one Appthority described.

There was no indication that Uber or Netflix were affected by the problem.

The findings highlight new threats posed by the increasing use of third-party services such as Twilio, which says on its website that it powers communications for more than 40,000 businesses worldwide. Developers can inadvertently introduce security vulnerabilities if they do not properly code or configure such services.

“This isn’t just limited to Twilio. It’s a common problem across third-party services,“ Hardy said. ”We often notice that if they make a mistake with one service, they will do so with other services as well.”

Appthority said it also warned Amazon.com Inc that it had found credentials for at least 902 developer accounts with cloud-service provider Amazon Web Services in a scan of 20,098 different apps.

– Contact us at [email protected]

RC/RA

EJI Weekly Newsletter

Please click here to unsubscribe