Appthority published research on its discovery of the Eavesdropper vulnerability, caused by developers carelessly hard coding their credentials in mobile applications that use the Twilio Rest API or SDK, despite best practices the company clearly outlines in its documentation.
What applications are affected by the Eavesdropper vulnerability?
Security researchers have identified this as a real and ongoing threat affecting nearly 700 apps in enterprise mobile environments, over 170 of which are live in the official app stores today.
Affected Android apps alone have been downloaded up to 180 million times.
Examples of apps with the Eavesdropper vulnerability include an app for secure communication for a federal law enforcement agency, an app that enables enterprise sales teams to record audio and annotate discussions in real-time, and branded and white label navigation apps for customers such as AT&T and US Cellular.
Hard coding of credentials
This issue is not specific to developers who create apps with Twilio. Hard coding of credentials is a pervasive and common developer error that increases the security risks of mobile apps. Appthority researchers are finding that developers who hard code credentials in one service have high propensity to make the same error with other services, such as between app tools, in this instance, and data storage like Amazon S3.
Over the lifetime of the apps and the developer’s use of the same credentials, the Eavesdropper vulnerability exposes massive amounts of sensitive current and historic data, including hundreds of millions of:
- Call records
- Minutes of calls
- Minutes of call audio recordings
- SMS and MMS text messages.
How a simple mistake can affect many apps
Notably, Eavesdropper does not rely on a jailbreak or root of the device, nor does it take advantage of a known OS vulnerability or attack via malware. Rather, this vulnerability shows how a simple developer mistake of exposing credentials in one app can affect larger families of apps by that same developer using the same credentials, even compromising other apps where best practices were followed, using side-channel and historical attacks.
Moreover, this vulnerability isn’t resolved by removing an affected app from the app store or user’s devices. The lifetime of the app’s data and the data from other apps created by that developer is exposed until the credentials for all apps are properly updated and, of course, not disclosed in clear text in the apps.
“Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning,” said Seth Hardy, Appthority Director of Security Research. “An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data.”
Discovery and disclosure timeline
The Appthority Mobile Threat Team (MTT) first discovered the Eavesdropper vulnerability in April 2017 and notified Twilio in July 2017 about the exposed accounts.
The oldest iOS affected app is from 2009 with one or more compromised accounts affected since 2011.