Still are app developers careless with user data. A study by the Fraunhofer SIT showed that several million records are at risk in the cloud - for a lax handling of authentication.
Developers are still storing unprotected preferred secret keys and tokens for access to the cloud storage in their apps. With little effort it can get read. For this criminals can get access to databases such as the Amazon Web Services (AWS) or Facebook. By this way are up to 56 million records compromised, estimates the Fraunhofer Institute for Security in Information Technology (SIT).
Together with the Technical University of Darmstadt and expert from Intel examined the Fraunhofer SIT in an automated process about two million apps in Google Play Store and Apple's App Store. In many has been the simplest form of authentication for access to cloud providers implemented. The developers are probably not aware of how inadequate the information are protected and getting collected by the Apps Data.
Unrestricted access to customer data
In their experiments, the scientists could not only read highly personal information, such as who are friends with whom Facebook or health information, from some app users. Using the secret key actually they could read complete user databases or even could manipulate them.
The report concludes that user cannot become actively protect. You should be careful what app you entrust personal information. Developers, however, should be better informed of the safety precautions of the cloud provider and implement more restrictive access controls in their apps. The researchers have already informed some developers on the most critical vulnerabilities.
Cloud providers have to act
Even with the providers of cloud services is the Fraunhofer SIT in contact. Both, Amazon and Facebooks Parse.com, Google and Apple have been informed of the findings too. The cloud providers also incumbent responsibility to bring the app developers to use not only the most vulnerable authentications. In addition, the cloud provider should make not convenient, but the safest possible standards mandatory.
The problem is not new. Already in June 2014 did researchers of the New York's Columbia University, a similar investigation and covered a distance of thousands of secret access token for Amazon Web Services open. The researchers then criticized that many developers did not follow the recommended conversions when programming their Apps and imbedded secret keys directly into the source code. They are apparently unaware of how simple source code can be translated back. In March 2014 researchers had discovered ten thousands of AWS credentials on Github.