A mobile threat protection firm has now published details of a new vulnerability which has affected almost messaging apps in both Android and iOS platforms. Appthority is calling the vulnerability “Eavesdropper”, and for good reason.
About 180 million Android devices, along with an unknown number of iOS devices, might have been affected by Eavesdropper. The vulnerability comes from developers misusing the Twilio Rest API/SDK, which means that the fault does not actually like on Twilio themselves.
Apparently, developers have been hard-coding their credentials into the affected apps’ code, which means that they have effectively given access to all kinds of data, including messages and metadata, to every single one of those apps.
According to Appthority, more than 33 percent of the affected apps were used in enterprise settings. Even more interestingly, one of the 685 infected apps discovered last April was used by a federal law enforcement agency.
Fortunately, Twilio has been acting very efficiently since discovering the vulnerability, informing Twilio of the issue and thus allowing developers to fix their mistake and remove the issue from their apps.
By the end of August, the number of affected apps had already fallen to 75 on Google Play and 102 on the App Store. Appthority estimates that hundreds of millions of call records, audio recordings, and text messages have been exposed as the vulnerability has most likely existed since 2011.
As is the usual practice with these kinds of discoveries, Appthority has not disclosed the full list of apps which are vulnerable so that the developers have a chance to address the issue before It is made public.
Thankfully, the firm has also not found any evidence that Eavesdropper has actually ever been used so this is one of the vulnerabilities that was first discovered by security experts and not potential attackers.
In its report, the company details how Eavesdropper is merely the last in a series of vulnerabilities they have discovered. The truth is that not only are such vulnerabilities quite common in the mobile industry but almost no one is taking any steps to address them.
Despite knowing better, the tech industry is notorious for not implementing good security standards, particularly in apps and services that constantly deal with customer data.
Consumers are often left responsible for their own mobile security, though they are also often unable to do anything about it, short of installing nothing on their phones and disconnecting themselves from the Internet entirely.