Cloud systems behind popular apps found to be open to attack

A team from the Georgia Institute of Technology and the Ohio State University identified more than 1,600 vulnerabilities in the support ecosystem behind the top 5,000 free apps available in the Google Play Store.

“A lot of people might be surprised to learn that their phone apps are communicating with not just one, but likely tens or even hundreds of servers in the cloud,” said Brendan Saltaformaggio, an assistant professor in Georgia Tech’s School of Electrical and Computer Engineering.

“Users don’t know they are communicating with these servers because only the apps interact with them and they do so in the background. Until now, that has been a blind spot where nobody was looking for vulnerabilities.”

In their study, the researchers discovered 983 instances of known vulnerabilities and another 655 instances of zero-day vulnerabilities spanning across the software layers - operating systems, software services, communications modules and web apps - of the cloud-based systems supporting the apps.

The researchers are still investigating whether attackers could get into individual mobile devices connected to vulnerable servers.

“These vulnerabilities affect the servers that are in the cloud, and once an attacker gets on the server, there are many ways they can attack,” Saltaformaggio said. “It’s a whole new question whether or not they can jump from the server to a user’s device, but our preliminary research on that is very concerning.”

The researchers identified three types of attack that could be made on the back-end servers: SQL injection, XML external entity and cross-site scripting.

By taking control of these machines in the cloud, attackers could gain access to personal data, delete or alter information or even redirect financial transactions to deposit funds in their own accounts.

Applications were run in a controlled environment on a mobile device that connected to back-end servers. They then watched the communications between the device and servers, and repeated the process for all of the applications studied.

“We found that a lot of applications don’t encrypt the communications between the mobile app and the cloud service, so an attacker that is between the two points or on the same network as the mobile could get information about the user - their location and user name - and potentially execute password resets,” said Omar Alrawi who worked on the project.

The vulnerabilities were not easy to spot. “You have to understand the context through which the app communicates with the cloud server,” he said. “These are very deep bugs that cannot be identified by simply scanning and using traditional tools that are used for web application security.”

The researchers studied only applications in the Google Play Store. But applications designed for iOS may share the same back-end systems.

“These servers provide back-end services for mobile apps that any device could use,” Alrawi added. “These cloud services are essential components of modern mobile apps. They are part of the always-connected world.”

The operators of vulnerable systems were notified of the findings.