How a Simple Error During Coding Risked the Security of Millions of Smartphone Users?
A very simple coding error that has been applied to almost 700 apps has left 180 million smartphone owners at risk of their texts and calls being hijacked. This warning was officially released at the latter end of last week by Appthority. This means that hackers are able to gain access to confidential material without the user even realizing.
How did this happen?
The reason this occurred was due to the app developers coding Twilio access services including the services to call and text. This error made it easy for hackers to renew this code so that they could gain access to the user’s credentials.
The Appthority report states that Eavesdropper has been around since 2011. All that is needed for hackers to take advantage are three simple steps to exploit it.
Twilio is a communication service used by over 40,000 businesses, however, access can only be gained via calls and texts made via the affected applications. Apps that are affected include the AT&T and Telenav that are usually installed when you purchase android smart devices. Although the amount of people on iOS affected by the coding error is yet to be disclosed, there are around 180 million affected Android devices.
The bug was reported to the companies affected in confidence and the majority of the apps have now been taken from the app store and Google play store. They have also been patched.
How can you prevent falling victim?
This major vulnerability is just one example of how security vulnerability can accidentally be introduced to an application through a coding error. It can easily be prevented by ensuring apps installed on smart devices regularly undergo security checks.
Although it is advisable to have protection on all devices, the responsibility of the app’s security is also that of the developers. To avoid this or similar problems the teams working on app development should make sure that there are no vulnerabilities before they are released. The biggest challenges that companies face is that they have little to no skills in using the tools that can prevent them falling victim to hackers. Unfortunately not only do the users have a lack of skills but also developers. With many of the traditional courses that teach secure coding, not only are they time consuming but they tend to lack necessary focus on specific challenges that a developer could face. This is one of the reasons why there’s not a great deal of surprise when it comes to wondering how coding errors occur causing vulnerabilities.
A great alternative to the traditional courses that most will find boring is Codebashing which is taught in shorter sessions. This method of teaching gives a solution that is a lot easier to swallow and more focused on specific problems rather than being a general overview.
As well as introducing developers to the most secure coding tools, it is just as important to have a source code analysis tool.
One of the most effective ways to test the apps source code to find vulnerabilities early on is the SAST which stands for static application security testing. This will allow problems that could become vulnerabilities for hackers to take advantage on in the SDLC stage. The most important job SAST does is analyze the source codes within an app to inform you of vulnerabilities that would otherwise remain hidden. Using a SAST tool so early on will allow developers to ensure they reduce the chance of code vulnerabilities like Eavesdropper.