In a survey by mobile security service company Zimperium, it discovered that 18,000 apps for iOS and Android that use external cloud services are at risk of leaking personal information such as phone numbers and addresses. The reason is that app developers are lazy to follow cloud service guidelines.
One of the important designs for mobile app development is the ability to store information such as the usage status of the app, and the ability for the application to access the server to retrieve information in real time. Unlike Jimperium, many apps rely on external services such as Amazon S3 or Microsoft Azure for cloud services required for these functions.
Cloud services have the convenience of storing data easily and accessing it from apps, but this convenience carries the risk of anyone accessing your data depending on your settings. Companies that provide cloud services are publishing detailed instructions on how to secure access, but they point out that app developers are more likely to fail to follow and misuse default states or settings.
As a result of a survey of more than 1.3 million apps by Jimperium, 131,000 apps use cloud services other than their own servers, of which 14%, or 18,485 apps, have an application setting error, such as user personal information, password, medical information I have confirmed that it is in a state that can be easily accessed. By allowing access to personal information through cloud services, the app ranges from music to games, some of which have millions of users.
In addition to user personal information, Zimperium announced a case where the entire developer server infrastructure script, server, etc. were disclosed, and in this case, a malicious user could check the SSH key and access the app developer server. Jimperium does not individually check whether the damage has actually occurred, and is appealing to app developers to review the cloud service settings to prevent unauthorized access or information leakage. Related information can be found here.