A mobile app vulnerability called Eavesdropper, which was discovered earlier this year, has been detected in over 685 enterprise apps (44% Android, 56% iOS).
The vulnerability is caused by using hard-coded credentials in mobile applications based on the Twilio Rest API or SDK. If compromised, these credentials can provide global access to all metadata stored in Twilio accounts, which can include text/SMS messages, call details, and voice recordings from every app developed with the exposed credentials. This vulnerability has the potential to put organizations at risk of data disclosure, blackmail or other types of compromise.
According to some security experts, this vulnerability should never have been exploitable if proper best practices been followed. Tim Erlin, VP of product management and strategy at Tripwire said hard-coded passwords should not be used by developers in the first place, since they give an attacker the ability to log into an account belonging to the developer who created that app, and those accounts contain sensitive information from that developer and their company.
SEE: Mobile app development policy (Tech Pro Research)
“In most cases, these Twilio accounts are related to a business, and there’s data an attacker could steal or leverage,” he said. Worse, the vulnerability might affect not just one organization, but any organization or individual using an affected app.
Erlin said there is no master list of apps affected by the vulnerability, but that Google and Apple are actively removing the affected apps. Therefore, applying any and all available updates to your mobile apps (or those of your users) and checking to see if these are still valid in the Google or Apple app stores is the best strategy to take here. If the apps no longer exist, remove them immediately.
If the app still exists, but there aren’t any updates available, Erlin recommended contacting the vendor. “Check with the vendor to see if the app is impacted. If so, you have to look to them for remediation steps,” he said. “If the vendor hasn’t responded, it’s well worth putting some pressure on them for a response.”
Erlin’s solution for preventing vulnerabilities like Eavesdropper is better education regarding overall secure software development practices.
Josh Mayfield, director of product marketing at FireMon, said the Eavesdropper vulnerability brings a new flavor to the world of mobile threats and offered further tips on how to avoid inadvertently creating such vulnerabilities.
SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (ZDNet/TechRepublic)
“Organizations can fall victim to an unforeseen attack which takes note of changes happening within the infected apps. This technique allows an attacker to learn about the user and their behaviors, connections, communication regularities, and more. It allows them to correlate user tendencies and then exploit the systems for which the user has access. This allows Eavesdropper a measure of persistence, like trying to swat an exceptionally agile house fly,” Mayfield said.
With dissolving perimeters and universal identity access becoming more prevalent, organizations can be baffled when the identity itself is compromised. Mayfield said the best way to protect against this kind of exploit is configuration assurance throughout the network (on-premise, cloud, virtual environments, etc). In other words, to build an adaptable security policy framework that can cut off east-west traffic once the mobile device has been compromised, preventing it from moving throughout the network.
“The challenge with this concept is that there are often multiple systems in the chain without an enforcement point such as a firewall, switch, or gateway. You must implement an enforcement point with an asset-centric security policy,” he said. The policy can be adjusted to increase or restrict access based on changes; when an asset switches locations or attributes or otherwise operates differently.
The goal is to move away from the model of merely using a firewall and dictating which traffic is allowed or blocked, and toward a philosophy of matching expected device behavior with permitted access and operations. Credentials alone aren’t sufficient to mitigate risks, but rather asset attributes which determine behavior. Therefore, if a device is affected by Eavesdropper, the organization can quarantine the infection with automated security enforcement to prevent the spread.
Mayfield also recommended that developers utilize two-factor authentication to prevent vulnerabilities such as Eavesdropper. “This poses some burden; the end user is often miffed by having to provide answers to challenge questions or keying in a code for 2FA, but the such is the cost of security,” he said. Obviously, IT departments would do well to communicate the reasoning behind these costs as well as the risks stemming from the failure to comply with them.