AUGUST 12, 2019 by Georgia Institute of Technology

Cybersecurity researchers have discovered vulnerabilities in the backend systems that feed content and advertising to smartphone applications through a network of cloud-based servers that most users probably don’t even know exists.

In research to be reported August 15 at the 2019 USENIX Security Symposium, researchers from the Georgia Institute of Technology and The Ohio State University identified more than 1,600 vulnerabilities in the support ecosystem behind the top 5,000 free apps available in the Google Play Store. The vulnerabilities, affecting multiple app categories, could allow hackers to break into databases that include personal information—and perhaps into users’ mobile devices.

To help developers improve the security of their mobile apps, the researchers have created an automated system called SkyWalker to vet the cloud servers and software library systems. SkyWalker can examine the security of the servers supporting mobile applications, which are often operated by cloud hosting services rather than individual app developers.

“A lot of people might be surprised to learn that their phone apps are communicating with not just one, but likely tens or even hundreds of servers in the cloud,” said Brendan Saltaformaggio, an assistant professor in Georgia Tech’s School of Electrical and Computer Engineering. “Users don’t know they are communicating with these servers because only the apps interact with them and they do so in the background. Until now, that has been a blind spot where nobody was looking for vulnerabilities.”

The Air Force Office of Scientific Research and the National Science Foundation supported the research.

In their study, the researchers discovered 983 instances of known vulnerabilities and another 655 instances of zero-day vulnerabilities spanning across the software layers—operating systems, software services, communications modules and web apps—of the cloud-based systems supporting the apps. The researchers are still investigating whether attackers could get into individual mobile devices connected to vulnerable servers.

“These vulnerabilities affect the servers that are in the cloud, and once an attacker gets on the server, there are many ways they can attack,” Saltaformaggio said. “It’s a whole new question whether or not they can jump from the server to a user’s device, but our preliminary research on that is very concerning.”

The researchers identified three types of attack that could be made on the backend servers: SQL injection, XML external entity and cross-site scripting, explained Omar Alrawi, a Georgia Tech graduate research assistant and co-first author with Chaoshun Zuo at Ohio State. By taking control of these machines in the cloud, attackers could gain access to personal data, delete or alter information or even redirect financial transactions to deposit funds in their own accounts.

To study the system, Alrawi and Zuo ran applications in a controlled environment on a mobile device that connected to backend servers. They then watched the communications between the device and servers, and repeated the process for all of the applications studied.

Smartphone apps may connect to vulnerable backend cloud servers
A portion of the four-phase process used by SkyWalker to vet backend systems used to support mobile apps. Credit: Georgia Tech

“We found that a lot of applications don’t encrypt the communications between the mobile app and the cloud service, so an attacker that is between the two points or on the same network as the mobile could get information about the user—their location and user name—and potentially execute password resets,” Alrawi said.

The vulnerabilities were not easy to spot. “You have to understand the context through which the app communicates with the cloud server,” he said. “These are very deep bugs that cannot be identified by simply scanning and using traditional tools that are used for web application security.”

The operators of vulnerable systems were notified of the findings. Concerns about who is responsible for securing those backend servers is one of the issues to come out of the study.

“It’s actually a significant problem because of how many different software developers may have their hands in building these cloud servers,” Saltaformaggio said. “It’s not always clear who is responsible for doing the patching and who is responsible for the vulnerabilities. It’s tough to track down these vulnerabilities, but it’s also tough to get them patched.”

To save app developers from having to do the security research they did, the researchers are offering SkyWalker, an analysis pipeline to study mobile backends.

“SkyWalker will watch how the application communicates with those cloud servers, and then it will try to communicate with the servers to find vulnerabilities,” said Alrawi. “This information can give an app developer a heads-up about potential problems before they make their application public.”

The researchers studied only applications in the Google Play Store. But applications designed for iOS may share the same backend systems.

“These servers provide backend services for mobile apps that any device could use,” Alrawi said. “These cloud services are essential components of modern mobile apps. They are part of the always-connected world.”

For the future, the researchers hope to study how the vulnerabilities could affect smartphone users, and to check on whether the problems they identified have been addressed.

“We are going to keep doing these sorts of studies and will revisit them later to see how the attack landscape has improved,” said Saltaformaggio. “We will keep looking for more blind spots that need to be studied. In the new world of smartphones and mobile applications, there are unique problems that need to be rooted out.”

More information: Developers will be able to submit their apps to SkyWalker at (https://mobilebackend.vet) and get a report on what it finds.
Provided by Georgia Institute of Technology

Collected at:  https://techxplore.com/news/2019-08-smartphone-apps-vulnerable-backend-cloud.html?utm_source=nwletter&utm_medium=email&utm_campaign=daily-nwletter 

10 thoughts on “Smartphone apps may connect to vulnerable backend cloud servers”

  1. I抦 not sure where you’re getting your information, but good topic. I needs to spend some time learning more or understanding more. Thanks for great information I was looking for this info for my mission.

    1. Thanks.
      I have read and carefully selected the topics of the website.
      Sometimes, the website will not update since there is not good ideas for the website.
      By the way, the web updates within 3 days 😀

  2. Today, I went to the beach front with my kids. I found a sea shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She put the shell to her ear and screamed. There was a hermit crab inside and it pinched her ear. She never wants to go back! LoL I know this is entirely off topic but I had to tell someone!

  3. Thanks for your publication. I also feel that laptop computers have become more and more popular currently, and now are often the only form of computer included in a household. The reason being at the same time they are becoming more and more reasonably priced, their computing power keeps growing to the point where these are as highly effective as pc’s from just a few years ago.

  4. I have observed that online diploma is getting preferred because obtaining your degree online has changed into a popular selection for many people. A large number of people have definitely not had a possible opportunity to attend a traditional college or university nevertheless seek the increased earning possibilities and a better job that a Bachelors Degree gives. Still people might have a college degree in one training but would wish to pursue another thing they now possess an interest in.

  5. Today, considering the fast lifestyle that everyone is having, credit cards have a huge demand in the economy. Persons from every area of life are using credit card and people who aren’t using the credit card have arranged to apply for even one. Thanks for revealing your ideas on credit cards.

  6. Thanks for your article. My partner and i have often seen that the majority of people are wanting to lose weight since they wish to look slim and also attractive. Having said that, they do not constantly realize that there are other benefits to losing weight also. Doctors insist that over weight people have problems with a variety of disorders that can be instantly attributed to their excess weight. The good thing is that people who definitely are overweight plus suffering from diverse diseases are able to reduce the severity of their particular illnesses through losing weight. It is possible to see a constant but identifiable improvement in health whenever even a negligible amount of fat reduction is accomplished.

Leave a Reply

Your email address will not be published. Required fields are marked *