Thousands of smartphone applications including the most popular ones store users’ data online in a way that makes them easily accessible to hackers, say German cyber security researchers.
The flaw, likened by the researchers to the Heartbleed bug, exposes passwords, addresses, access codes as well as location data.
The problem, which affects a wide range of apps including games, social networks, messaging, medical and bank transfer apps, lies in the way developers authenticate users when storing their data in online databases.
"In almost every category we found an app which has this vulnerability in it," said Siegfried Rasthofer from the Darmstadt University of Technology, who took part in the research.
Most apps use cloud services like Amazon's Web Services or Facebook's Parse to store, share or back up users' data.
While such services offer ways for developers to protect the data, most choose the default option, based on a string of letters and numbers embedded in the software's code, called a token.
Attackers can then easily extract and tweak those tokens in the app, which then gives them access to the private data of all users of that app stored on the server.
The research team, led by Eric Bodden from the Fraunhofer Institute for Secure Information Technology, found up to 56 million items of unprotected data in the applications studied.
However, Bodden said the actual number of affected records may be in billions. Vulnerable applications, the researchers said, include those commonly available on Apple’s and Google’s app stores.
Colombian cyber-security researcher Jheto Xekri, said he had found the same flaw independently of the German team.
Out of the four technology companies whose technology could possibly be involved in the data breaches, only Apple and Facebook responded. Apple said it would soon incorporate warnings to developers to double-check their security settings before uploading apps to its App Store. Facebook reassured it was already in touch with affected developers but didn’t provide any details.
Facebook's Parse lists among its customers some of the world's biggest companies - all of which, Rasthofer said, were potentially affected.
Security researchers say mobile applications are more at risk of failing to secure users' data than those running on desktop or laptop computers. This is partly because implementing stronger security is harder, and partly because developers are in a rush to release their apps, said Ibrahim Baggili, who runs a cybersecurity lab at the University of New Haven.
Others pointed to weaknesses in the ways apps transmit data. Bryce Boland, Asia Pacific chief technology officer at Internet security company FireEye, said the report reflected deeper problems.
He said FireEye regularly found developers send users' names and passwords unencrypted, "so it's not surprising to find them storing them insecurely as well".
Bodden likened his team's discovery to the Heartbleed bug, a web-based vulnerability reported last year that left half a million web servers susceptible to data theft. Security researchers said this might be worse, since there was little users could do, and exploiting the vulnerability was easy.
"The amount of effort to compromise data by exploiting app vulnerabilities is far less than the effort to exploit Heartbleed," said Toshendra Sharma, founder of Bombay-based mobile security company Wegilant.
Other security researchers say that while responsibility for weak authentication lies with those developing the apps, others in the chain should shoulder some of the blame.
"The truth is that there is plenty of fault to go around," said Domingo Guerra, co-founder of mobile security company Appthority. Cloud providers and app stores, he said, should ensure best practices are implemented correctly and test apps for such holes.
The researchers said they had no documented evidence that the vulnerability had been exploited.