Part 1: Cloud and Cryptography Risks
Personally identifiable information (PII), financial data, medical information, account credentials, intellectual property - What all these types of sensitive data have in common is that you need tight control over who can access them, regardless of whether they belong to you or your organization. And sure, you might be following the best practices, but what about the apps that you or your employees use? With the ever-growing dependence upon mobile devices in everyday business and personal activities, and especially with many companies opting for a BYOD policy, it is of particular importance to know how those apps might compromise your privacy and sensitive corporate data.
The stakes have never been higher. During 2024 alone, over 1.7 billion individuals had their personal data compromised—a staggering 312% increase from 419 million in 2023—leading to a total estimated financial loss of 280 billion dollars. As mobile devices become the primary gateway to digital services, they also represent an expanding attack surface for data leakage and breaches.
zLabs, our research team at Zimperium, conducted an extensive analysis of mobile applications to understand the scope and severity of these risks. We looked into 54,648 work apps (9,078 for Android and 45,570 for iOS) from official app stores which our customers found being used in their device fleets. The findings are alarming and highlight the critical need for comprehensive app vetting in enterprise environments.
Understanding Data Leaks in Mobile Apps
Data leaks and data breaches happen when an unwanted actor obtains access to sensitive data. Though the terms in many cases can be used interchangeably, in general it is said that data leaks occur when sensitive information gets unintentionally exposed to the public—whether in transit, at rest, or in use. Unlike data breaches, which typically result from external intrusion attempts, data leaks often stem from negligence, poor security practices or inadequate data handling processes within the applications themselves.
Cloud Services: A Double-Edged Sword
Cloud integration has become ubiquitous in mobile app development, with 62% of all analyzed apps using some kind of cloud API or SDK. While cloud services offer scalability and convenience, they also introduce significant risks when improperly implemented:
- 103 Android apps were found to use unprotected or misconfigured cloud storage, with 4 of these apps ranking in the top 1000 in the PlayStore popularity list. In some cases, file and directory indexes are world-viewable, while in others, the full contents of repositories could be accessed without credentials. There are systems in place which are continuously scanning cloud providers' directories in order to find these unprotected repositories in order to steal the data which can then be sold, used for identity theft, leveraged for blackmail or spear fishing campaigns and a myriad of other nefarious purposes.
Data saved in an unprotected or misconfigured cloud storage can be accessed by anyone.
- 10 Android apps contained exposed credentials to AWS cloud services, creating an open door for attackers to access sensitive enterprise data. These credentials could be used to both read the data or, in the worst case, write onto it, creating fake records or deleting/encrypting the data and demanding a ransom for it without the need of actually performing a traditional ransomware attack.
Hardcoded cloud credentials make data vulnerable to breaches and tampering
The consequences of cloud misconfigurations can be devastating. In a recent incident, one of the world’s largest car manufacturers experienced a massive data breach affecting approximately 260,000 customers due to a misconfigured cloud environment. This incident demonstrates how even major corporations with substantial security resources can fall victim to basic cloud security oversights.
Cryptographic Weaknesses: Undermining Security Foundations
Encryption of sensitive data is critical. Unencrypted or poorly encrypted data can be exploited in two ways. In transit: through a man in the middle attack, for example, an attacker may be able to see the data going to and from servers. At rest: an attacker may achieve read permissions to a data repository, however, properly encrypted data is essentially useless to the attacker.
Properly encrypted data is useless to attackers, even when it is intercepted in transit or obtained from a cracked cloud storage
Our research found that 88% of all apps and 43% of the top 100 use one or more cryptographic methods that don't follow best practices. In some caseshigh-severity cryptography flaws such as:
- Hardcoded cryptographic keys
- Use of outdated algorithms like MD2
- Insecure random number generators (that can potentially be exploited to break encryption)
- Reuse of the same cryptographic keys
These vulnerabilities create opportunities for attackers to intercept, decrypt, and exploit sensitive data, potentially leading to unauthorized access to enterprise systems and information.
The Enterprise Impact
For all types of organizations these cloud and cryptographic vulnerabilities create significant risks:
- Data Exposure: Misconfigured cloud storage can lead to immediate exposure of sensitive corporate data.
- Compliance Violations: Poor encryption practices can result in violations of regulations like GDPR or standards such as HIPAA or MASVS.
- Financial Impact: The average cost of a data breach is $4.88 million per incident, with compromised credentials and cloud misconfiguration being the 1st and 3rd most frequent initial attack vectors.
Course of Action
To avoid these risks, a company´s mobile device fleet manager needs to have visibility into app behavior patterns. In particular:
- Cloud Security:
- Identify misconfigured cloud storage settings
- Detect exposed credentials and API keys
- Evaluate cloud service integration security
- Cryptography:
- Validate encryption methods and key management
- Identify outdated or weak algorithms
- Third-Party Components:
- Assess security of integrated cloud SDKs
- Validate third-party cryptographic implementations
- Monitor for known vulnerabilities
We cannot change the apps, but we can choose which apps we allow to ensure our data’s security.
