New Tool Reveals Big Vulnerabilities In Mobile Apps That Use Multiple Clouds

Proponents frequently boast that cloud-based architectures are more secure than traditional networks, but that’s not necessarily the case for mobile apps that use lots of different cloud services all at once. 

A team from the Georgia Institute of Technology looked at more than 5,000 of the most popular Android apps in the Google Play store and found that more than 20 percent had some vulnerability resulting from the way the app was using backend cloud services. With funding from the Air Force Research Lab and the National Science Foundation, they built a tool, dubbed SkyWalker, that developers can use to check their apps for such vulnerabilities. 

Most of the apps on your phone use cloud services—to send or fetch content, serve ads, track your behavior, or just keep from filling up your device’s memory. “Unfortunately, a mobile app developer who wants to audit the backends their app uses will quickly find that this is harder than it seems,” the Georgia Tech team writes in a paper to be delivered at the USENIX Security Symposium on Thursday.

Cloud backend services for mobile app development, it turns out, are a rat's nest. The Georgia Tech team found that the 5,000 apps were using a total of 6,869 server networks all across the globe. Some apps were communicating with more than one cloud network on more than one continent.

“A lot of people might be surprised to learn that their phone apps are communicating with not just one, but likely tens or even hundreds of servers in the cloud,” said Brendan Saltaformaggio, an assistant professor in Georgia Tech’s School of Electrical and Computer Engineering, in a statement. “Users don’t know they are communicating with these servers because only the apps interact with them and they do so in the background. Until now, that has been a blind spot where nobody was looking for vulnerabilities.” 

Of the vulnerabilities they found, 983 were already listed on the federal government’s National Vulnerabilities Database. But they discovered  655 new ones—“zero days,” in the parlance. 

How big a problem is that? “The hijacking of the Fortnite mobile game showed how incrementally-downloaded content from mobile backends can allow an attacker to install additional mobile apps without the user’s consent. Additional cases involving the exposure of 43 terabytes of enterprise customer names, email addresses, phone numbers, PIN reset tokens, device information, and password lengths was due to insecure mobile backends and not the developer’s mobile app code.”

The team’s SkyWalker tool, which will eventually be available here, lets app developers audit the various cloud-based tools they may be building into their products to determine where the vulnerabilities are. 

The Air Force has distinguished itself from other services in recent years by encouraging airmen to develop their own software to fix problems that they encounter, so the safety of cloud backend tools for mobile apps is directly relevant to their work. 

The paper also comes as the Pentagon is about to award a massive enterprise cloud contract under the Joint Enterprise Defense Infrastructure, or JEDI, program, to either Microsoft or Amazon Web Services (unless the program is halted and changed.) Detractors have argued that going with one cloud provider for such a large chunk of the Pentagon’s data represents a single target vulnerability and that using multiple smaller cloud providers would be more secure. The SkyWalker team’s research illustrates why that presumption is faulty.