Latest in Gear

Image credit: PeopleImages via Getty Images

Researchers find hundreds of easily-breached messaging apps

Android and iOS developers left user credentials right in easily-searchable code.
395 Shares
Share
Tweet
Share
Save

Sponsored Links

PeopleImages via Getty Images

The security of our personal data is top of mind right now, so the news that nearly 700 apps for iOS and Android were easily exploited to show private messages and calls is troubling, to say the least. Security company Appthority discovered the exploit, dubbed "Eavesdropper," and published its findings this morning. According to the company's research, up to 180 million Android devices could be affected, as well as an unknown number of iOS devices.

At a high level, Appthority discovered 685 apps that used the Twilio Rest API or SDK for communication services, including calling and messaging. Twilio basically lets developers build those features into their apps without having to write their own communications protocols. Unfortunately, some developers using these APIs left hard-coded user credentials in the app's code, making it a simple matter for a motivated hacker to expose a user's private communications. "The vulnerability is called Eavesdropper ," writes Appthority's Michael Bentley, "because the developers have effectively given global access to the text/SMS messages, call metadata, and voice recordings from every app they've developed with the exposed credentials."

Bentley also notes that Eavesdropper poses a major threat to enterprise communications, as Twilio is typically used in business environments. As such, the vulnerability could make a company's private information easily accessible by those with nefarious schemes in mind, though Appthority's research showed that only about 33 percent of the apps in question were business-focused.

The research firm first discovered the vulnerability back in April and notified Twilio in July, noting that 85 developers were responsible for the unprotected apps. By the end of August, the number of affected apps had dropped to 102 in the iOS App Store and 85 in Google Play. That's still a pretty large number, but unfortunately Appthority didn't publish a full list of apps that are still live.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
395 Shares
Share
Tweet
Share
Save

Popular on Engadget

Honda E first drive: Futuristic and incredibly fun to drive

Honda E first drive: Futuristic and incredibly fun to drive

View
Apple envisions a Mac made from a sheet of curved glass

Apple envisions a Mac made from a sheet of curved glass

View
YouTube suggests Premium members will get free channel memberships

YouTube suggests Premium members will get free channel memberships

View
Motorola wants you to be careful using the new Razr

Motorola wants you to be careful using the new Razr

View
Boeing completes test flight for the world's largest twin-engine jet

Boeing completes test flight for the world's largest twin-engine jet

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr