The Eavesdropper vulnerability affects nearly 700 apps in enterprise mobile environments, 170 of which are live in the official app stores today.
In the end, the vulnerability ended up caused by developers carelessly hard coding credentials in mobile applications that use the Twilio Rest API or SDK, said researchers at Appthority.
Affected Android apps alone have been downloaded up to 180 million times.
This issue is not specific to developers who create apps with Twilio. Hard coding of credentials is a pervasive and common developer error that increases security risks of mobile apps.
Appthority researchers found developers who hard code credentials in one service have high propensity to make the same error with other services.
Over the lifetime of the apps and the developer’s use of the same credentials, the Eavesdropper vulnerability exposes massive amounts of sensitive current and historic data.
Eavesdropper does not rely on a jailbreak or root of the device, nor does it take advantage of a known OS vulnerability or attack via malware. The vulnerability shows how a simple developer mistake of exposing credentials in one app can affect larger families of apps by that same developer using the same credentials, even compromising other apps where best practices were followed, using side-channel and historic attacks.
In addition, the vulnerability isn’t resolved by removing an affected app from the app store or user’s devices. The lifetime of the app’s data and the data from other apps created by that developer is exposed until the credentials for all apps are properly updated and, of course, not disclosed in clear text in the apps.
The Appthority Mobile Threat Team (MTT) first discovered the Eavesdropper vulnerability in April 2017 and notified Twilio in July 2017 about the exposed accounts.
The oldest iOS affected app is from 2009 with one or more compromised accounts affected since 2011.