These days, just about everything relies on the cloud in one way or another.
Infrequent as they are, outages of major cloud providers—like the AWS outage last November that knocked out a number of apps and services—serve as a good reminder of just how interconnected things are these days.
Mobile apps are no stranger to this trend, as companies have grown to rely on cloud connections, rather than on-prem servers, to store backend information. In most cases, this is a net positive: utilizing cloud databases and storage allows app developers to focus on, well, app development, without getting too caught up in details about the back-end infrastructure.
But as recent research by mobile security company Zimperium shows, thousands of apps that are currently in use have unsecure cloud configurations that put companies at risk of leaking sensitive user information.
WIRED first reported on Zimperium’s research earlier this month. The basic premise is this: “instead of carefully restricting who can access the information store in their cloud infrastructure, organizations too often misconfigure their defenses.” WIRED compares this to leaving the windows or doors open at your house before going on vacation.
Zimperium analysis of over a million iOS and Android apps found misconfigurations in about 20,000 apps, or 14% of those that use public cloud services like the aforementioned AWS, or Google Cloud or Microsoft Azure. Apps with improper cloud configurations can expose anything from passwords to medical information.
In their blog about the research, Zimperium cites a few specific types of data at risk due to this misconfiguration. Some medical apps, for example, exposed personal medical information including test results and profile images, while some social media apps exposed photos, phone numbers, and other personal information. Other vulnerabilities—in the wrong hands—could enable malicious actors to delete internal company information or access system-wide encryption keys. Put another way, Zimperium found no shortage of potentially damaging information in its research, for which it ran an automated analysis to detect common cloud misconfigurations.
So what should you do with this information, exactly? The biggest thing, as Zimperium recommends, is making sure that your cloud database is not accessible to the outside world. There is of course a plug for companies to use Zimperium’s solution to up their security, but the core takeaway is that there’s no better time than now to ensure that your setups don’t allow external access that could put your users’ data at risk.
The ability to offload infrastructure needs to the cloud is, more often than not, a tremendous asset for companies. But as Zimperium’s report shows, there’s no such thing as “too careful” when it comes to the security of your infrastructure. As cloud computing and mobile app development and management work hand-in-hand, it’s absolutely essential that you ensure you’ve taken the proper precautions to avoid any security pitfalls like the ones described here.
Questions? Concerns? Contact us today or reply directly to this blog in the comments. We’d love to hear from you!