Anonymous's picture

Mobile-app errors expose data on 180 mln phones -security firm

By Stephen Nellis

Nov 9 (Reuters) - A simple coding error in at least 685 apps put millions of smartphone users at risk of having some of their calls and text messages intercepted by hackers, cyber-security firm Appthority warned on Thursday.

Developers mistakenly coded credentials for accessing text messaging, calling and other services provided by Twilio Inc , said Appthority's director of security research, Seth Hardy. Hackers could access those credentials by reviewing the code in the apps, then gain access to data sent over those services, he said.

Affected apps include the AT&T Navigator app pre-installed on many Android phones and more than a dozen GPS navigation apps published by Telenav Inc. Such apps have been installed as many as 180 million times on Android phones and an unknown number of times on Apple's iOS-based devices.

Shares of Twilio slid nearly 7 percent after the Appthority report. Hackers covet Twilio credentials because they are used in a variety of apps that send text messages, process phone calls and handle other services. Hackers could access related data if they log into a developer's Twilio account, Hardy said.

Appthority, cautious not to tip off potential hackers, did not list all the apps that could be vulnerable. Twillio's website says its users include Uber Technologies Inc and Netflix Inc. However, large companies like those typically have security reviews that catch common coding errors like the one Appthority described.

There was no indication that Uber or Netflix were affected by the problem.

The findings highlight new threats posed by the increasing use of third-party services such as Twilio, which says on its website that it powers communications for more than 40,000 businesses worldwide. Developers can inadvertently introduce security vulnerabilities if they do not properly code or configure such services.

"This isn't just limited to Twilio. It's a common problem across third-party services," Hardy said. "We often notice that if they make a mistake with one service, they will do so with other services as well."

Appthority said it also warned Amazon.com Inc that it had found credentials for at least 902 developer accounts with cloud-service provider Amazon Web Services in a scan of 20,098 different apps.

Those credentials could be used to access app user data stored on Amazon, Hardy said.

A representative with Amazon declined comment.

One problem with third-party services is that developers often use the same account across multiple apps, similar to how consumers might use one email address for a variety of financial services and can have fraud problems at all of them if hackers compromise that single email account.

Appthority found Twilio credentials exposed in a now-defunct version of the AT&T Navigator mapping and GPS app. The AT&T app was a re-branded version of an app originally built by Telenav.

Appthority found that newer versions of the AT&T app appeared to be safe, but data sent over them could still be at risk if the developer of a related app is showbox legal - https://newshowbox.com still using the same Twilio account. It said the same Twilio credentials were found coded in more than a dozen other Telenav apps.

AT&T and Telenav could not immediately be reached for comment.

The mistakes were caused by developers, not Twilio, Hardy said. Twilio's website warns developers that leaving credentials in apps could expose their accounts to hackers.

Twilio spokesman Trak Lord said the company has no evidence that hackers used credentials coded into apps to access customer data but was working with developers to change credentials on affected accounts.

The Twilio vulnerability only affects calls and texts made inside of apps that use its messaging services, including some business apps for recording phone calls such as Wrappup and RingDNA, according to Appthority's report. Wrappup an RingDNA could not immediately be reached for comment.

In a survey of 1,100 apps, Appthority found 685 problem apps that were linked to 85 affected Twilio accounts. That suggests the theft of credentials for one app's Twilio account could pose a security threat to all users of as many as eight other apps.

Twilio's shares closed down 6.8 percent at $25.93. Shares had rallied in pre-market trading after Twilio beat revenue expectations and raised its revenue forecast during an earnings report after the markets closed on Wednesday. (Reporting by Stephen Nellis; Editing by Jim Finkle, Leslie Adler and David Gregorio)

Anonymous's picture

The coolest Android Apps

Team Android phenomenon is spreading like wildfire. Many people are turning to the openness and diversity of Android smartphones when choosing a mobile device. The iPhone has the most robust selection of apps, but many developers are now creating software for the Android Market.

With so many cool apps for Android available, the challenge for consumers to choose the best options. There are even apps designed to help you find other useful mobile applications. For those fans that mobile technology with a limited time to sort through the flood of new downloads, let's take a look at some great applications for Android phones.


What's cooler than playing the drums? This mobile app lets you simulate the fun of a drummer. The user interface is exciting, you control every drum by touching it on your touch screen, and the view is somewhat similar to what a real drummer looks while playing.

For the hobbyist musician, this app doubles as a drum machine. You can simply enjoy the sounds coming from your Android phone while using drums. If you record a drum beat andy emulator - https://newshowbox.com for a song in a pinch, this application would serve as the right solution.

The Onion News Network Mobile App

Comedy fans may already be familiar with the onion News Network. This program offers satirical parodies of current events in a television news and print format. The Onion News Network Android app you can check out their latest videos and articles on the road. If you are looking for a mobile application for an Android phone that makes you laugh while waiting between activities during the day, this is a great selection.


Have you ever yourself humming a tune, but can not remember what it is? Have you ever heard a song through the speaker in a store and wondered the name of it so you could buy it later? SoundHound offers a solution to these problems.

This incredible Android app uses a powerful algorithm to associate sounds picked up by the microphone of your smartphone with a full database of songs. This means that you can identify most of the songs playing from any stereo system using SoundHound. Also, you can even hum the melody of a song and the Android app will often be able to identify it only by analyzing your voice! Great music fans will enjoy this mobile application currently available on the Android Market.

With so many cool apps available for the Android Market smartphones, consumers have many choices. This great new competitive environment means that applications come from every day! Take a look at these selections if you want to enjoy yourself during the downtime throughout the week.



Subscribe to RSS - 21