The security of our personal data is top of mind right now, so the news that nearly 700 apps for iOS and Android were easily exploited to show private messages and calls is troubling, to say the least. Security company Appthority discovered the exploit, dubbed "Eavesdropper," and published its findings this morning. According to the company's research, up to 180 million Android devices could be affected, as well as an unknown number of iOS devices.
At a high level, Appthority discovered 685 apps that used the Twilio Rest API or SDK for communication services, including calling and messaging. Twilio basically lets developers build those features into their apps without having to write their own communications protocols. Unfortunately, some developers using these APIs left hard-coded user credentials in the app's code, making it a simple matter for a motivated hacker to expose a user's private communications. "The vulnerability is called Eavesdropper ," writes Appthority's Michael Bentley, "because the developers have effectively given global access to the text/SMS messages, call metadata, and voice recordings from every app they've developed with the exposed credentials."
Bentley also notes that Eavesdropper poses a major threat to enterprise communications, as Twilio is typically used in business environments. As such, the vulnerability could make a company's private information easily accessible by those with nefarious schemes in mind, though Appthority's research showed that only about 33 percent of the apps in question were business-focused.
The research firm first discovered the vulnerability back in April and notified Twilio in July, noting that 85 developers were responsible for the unprotected apps. By the end of August, the number of affected apps had dropped to 102 in the iOS App Store and 85 in Google Play. That's still a pretty large number, but unfortunately Appthority didn't publish a full list of apps that are still live.