Researchers from the University of Darmstadt say app developers have exposed 56 million credentials by borking login processes using services from Google, Amazon, and Facebook.
The research team tested 750,000 Android and iOS applications, examining the way they used the federated identity services to make authentication smooth across different devices.
The team found data including email addresses, passwords, and health records could be exposed to eavesdroppers, and the respective accounts compromised if tokens were captured.
"App developers use cloud databases to store user data but apparently ignore the security recommendation given by the cloud providers," the team wrote.
"As a result, many user accounts are threatened by identity theft and other cybercrimes (sic).
Professor Bodden says app developers often get authentication wrong when they use only a few lines of code.
"All cloud providers extensively document on their webpages how apps must include the BaaS (back-end-as-a-service) such that secure access to the data is guaranteed," Bodden says.
"Most developers seem to be missing this crucial piece of information, though, and opt for the simple but insecure usage of the service, probably not even aware that they are putting their user's data at risk.
"In virtually all apps the research team investigated, access to the data associated with the app is secured only by a secret key, which is directly embedded into the app."
Attackers would need to extract the key from the app or steal it over an insecure wireless connection for example.
The researchers say app developers should implement an access control scheme that properly protects private data.
They used the Appicaptor platform in conjunction with other scanners and scripts to identify apps with weak authentication. ®