Eavesdropper is a dangerous new vulnerability identified by researchers from Appthority, an enterprise mobile threat protection firm. According to their findings, the vulnerability has affected about 700 iOS and Android applications so far due to which massive amount of sensitive mobile data has been exposed. Reportedly, millions of calls, voice recordings, and text messages have been exposed. Eavesdropper is being regarded as a serious threat.
Although Eavesdropper was discovered in April according to Appthority’s security experts, it has been around since 2011, and 30 to 33 percent of the affected apps are business related. As Appthority researchers noted that there are a number of important apps such as one of the affected apps is used for initiating secure communication for federal law enforcement agency while another allows recording of audio and annotation of real-time discussions for enterprise sales teams.
“The scope of the exposure is massive including hundreds of millions of call records, minutes of calls and audio recordings, and text messages,” wrote researchers in a blog post.
It is also revealed that applications developed through Twilio service were the main victim of Eavesdropper while the vulnerability is a result of a basic developer error that exposed API credentials of hundreds of applications inadvertently. Apparently, developers didn’t properly follow the guidelines of using Twilio and did not secure credentials and tokens.
Michael Bentley from Appthority wrote that: “By hard-coding their credentials, the developers have effectively given global access to all metadata stored in their Twilio accounts.”
The affected apps have already been downloaded for more than 180 million times, which shows the extent of the threat.
Researchers claim that Eavesdropper manages to expose huge amounts of confidential, private data without relying upon conventional methods like jailbreak, malware or rooting but only through the careless developer error.
[q]”Eavesdropper” Flaw Poses Serious Threat to Enterprise Mobile Data – The data that can be exposed includes call records, minutes of calls, minutes of call audio recordings, SMS and MMS text messages”[/q]
The incident highlights the fact that hackers can launch attacks without using sophisticated tools. Moreover, the concerning aspect is that the problem cannot be resolved by deleting the affected app from the device, but the user needs to update credentials and keep them secure. Otherwise, data remains exposed.
Appthority’s security research director Seth Hardy explained that Eavesdropper poses a serious threat to enterprise data because it lets attackers access private and confidential data including details that are never discussed outside the enterprise environment such as pricing discussions, technology disclosure or M&A planning, etc.
“An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data,” stated Hardy.
Appthority also claimed that the threat is not limited to apps developed using Twilio service, which means there might be many more affected apps that are yet to be identified.