App errors expose data on 180M mobile phones
new york — A simple coding error in at least 685 apps put millions of smartphone users at risk of having some of their calls and text messages intercepted by hackers, cyber-security firm Appthority warned on Thursday.
Developers mistakenly coded credentials for accessing text messaging, calling and other services provided by Twilio, said Appthority’s director of security research, Seth Hardy. Hackers could access those credentials by reviewing the code in the apps, then gain access to data sent over those services, he said.
Affected apps include the AT&T Navigator app pre-installed on many Android phones and more than a dozen GPS navigation apps published by Telenav. Such apps have been installed as many as 180 million times on Android phones and an unknown number of times on Apple’s iOS-based devices.
Shares of Twilio slid nearly 7 per cent after the Appthority report. Hackers covet Twilio credentials because they are used in a variety of apps that send text messages, process phone calls and handle other services. Hackers could access related data if they log into a developer’s Twilio account, Hardy said.
Appthority, cautious not to tip off potential hackers, did not list all the apps that could be vulnerable. Twillio’s website says its users include Uber Technologies and Netflix. However, large companies like those typically have security reviews that catch common coding errors like the one Appthority described. There was no indication that Uber or Netflix were affected by the problem.
The findings highlight new threats posed by the increasing use of third-party services such as Twilio, which says on its website that it powers communications for more than 40,000 businesses worldwide. — Reuters