German researchers have discovered a potential “hole” in the storage of user data by third-party applications. According to them, this threat may include more than 56 million units of sensitive information. Experts told “Gazeta.ru” how serious the threat can be and how it must be fought.
Researchers in Germany have discovered about 56 million unsecured pieces of information, according to Reuters . They include both such innocuous data such as details of the games, and information from social networks, correspondences, medical data and data on bank transactions.
One researcher Siegfried Rastofer said that virtually every application category have a program that brings vulnerability. According to experts, all these unprotected accounts could be several billion.
The problem, analysts say, is the method that application developers use to store data. Currently frequently used cloud storage services such as Amazon Web Services and Facebook Parse. Although these services offer special protection methods stored on the information they most use the standard method of Profile cords and attached to it the information, which consists of a sequence of letters and numbers (tokens).
This token is stored in the app, and hackers, according to the head group of Engineers Eric Bodden can without too much trouble to get it, that allows you to gain access to protected data stored on the server.
According to the researchers, it is no documented cases of this vulnerability. But Facebook is already working on a solution to this problem and increase the security of data stored in them. In Apple also will enhance the application requirements, published in the AppStore store, according to the study.
According to “Gazeta.ru” head of the research group of mobile threats, “Kaspersky Lab” Victor Chebyshev, this threat can be very serious. Experts attribute this to the dominance of low-code writing culture in which not all developers are concerned about the safety of the user. “Hence, the problem with the fact that developers use the API by default without encryption. In this case, because of laziness to a single application is used in fact a common information access key “, – said Chebyshev.
Thus, according to him, setting myself app cybercriminals can access data of many users, and for this it is enough to have the skills to reverse engineering.
To combat this, it is necessary to improve code quality and always use encryption, especially when it comes to the transmission of user data. “From the user’s perspective, the universal protection that does not exist, the only thing we can advise – do not use the system login via Facebook / Twitter / other social networks on all consecutive services in other applications,” – added Chebyshev.
As told to “Gazeta.ru” deputy general director Alexander Kovalev Zecurion if security applications is organized correctly, a token will not be enough. There are various levels of protection that do not allow you to connect to a server on only one “pull” key. “In fact, the server can also be a multi-level protection system, and the token can be a base and a run data release mechanism for a specific application, which includes several other encryption keys,” – said Kovalev.
He noted that good developers do artless, but an effective data protection system, in which the service is made up of three parts: an application on the smartphone itself, the server part, which is responsible for processing the data, and the database itself, where information is stored. All this should be as detached from each other and should communicate with each other only by means of encryption methods.
In addition, applications are free to encrypt and decrypt the data stored on the server, and even if they manage to get to read the information stored in them without the other key, the decryption key is not possible, the expert added.
“If we talk about banking applications, there is usually no longer authorizes the application, but the device itself,” – said Kovalev. According to him, even if you have all the encryption keys, without information on the device to connect to the bank it will not be possible. Data is stored in the device system, and thus without physical access to your phone to receive data from the bank’s server can not.
However, it is still in perfect conditions.
In fact the same, according to a study of German scientists, for access to data applications, unfortunately, easier, and so until the problem is widespread.