Is there an ‘eavesdropper’ in your mobile apps?

Just recently a story caught my eye that illustrated like no other the importance of trusting your software developers, and really checking the provenance of any apps that you use.

The story, broken by Appthority, was about a vulnerability dubbed ‘eavesdropper’ that could have resulted in a large-scale exposure of data and metadata in mobile apps. The vulnerability is caused by software developers carelessly hardcoding their credentials into mobile apps that use the Twilio Rest API or SDK. Twilio has responded quickly to news of the vulnerability and reached out to all the developers with affected apps, of which there are apparently 700, some 170 of which are still available on the app stores.

Appthority claim that over a lifetime of poor coding practice, developers using the same credentials can expose massive amounts of sensitive data including call records, minutes of calls, minutes of call audio recordings, and SMS and MMS texts.  We’ve written before about the importance of protecting metadata, and once again, here is another instance where metadata has potentially been compromised.

While Apple are fairly aggressive at pushing security updates to end users, once Android devices have ceased to be the latest model, the same cannot be said. Android devices are notoriously under-patched and under-maintained – a headache for any IT department with users that insist on using older Android devices for business use.

This is another example, if any were needed, of the advantages of using an app that is reviewed and certified by a recognized and trusted authority. This type of vulnerability, caused by poor practice, is exactly the type of flaw that NCSC looks for during its certification process.

Unlike some other suppliers in the ‘secure communications’ space, Armour would never use any third-party analytics or tracking libraries and our app does not communicate with any such third-party servers. It’s for the same reason (the trust of our users) that we don’t outsource any of our development work and only use carefully selected third-party libraries (which are also constantly monitored for security updates). Nor will you find any bitcoin miners slipped into the app when you are not looking!

There is a reason why some of these apps are free to use.  It is worth keeping in mind that if you want genuine security, you do need to pay a little for it.