Researchers Offer Tool to Vet Possible Insecure Mobile Backends

New research indicates that even though mobile developers may follow security best practices in their projects, their apps may be contacting cloud-based backend platforms that can introduce vulnerabilities without their knowledge.

"Unfortunately, app developers often disregard or have no control over prudent security practices when choosing or managing these services," said researchers from Georgia Institute of Technology and Ohio State University. They were scheduled to present their findings at the 28th USENIX Security Symposium in Santa Clara, Calif., being held Aug. 14-16, in a paper titled "The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based Mobile Backends."

The mobile backends included in the study typically provide supporting services such as storage, analytics, monitoring, social network integration, push notifications and so on.

In examining the top 5,000 free Google Play Store apps, the team found 983 N-day and 655 0-day instances of vulnerabilities across the OS, software services, communication and Web apps software layers of cloud backends.

[Click on image for larger view.] SkyWalker (source: USENIX)

"The mobile apps using these cloud backends represent between 1M and 500M installs each and can potentially affect hundreds of thousands of users," the paper states. "Further, due to the widespread use of third-party SDKs, app developers are often unaware of the backends affecting their apps and where to report vulnerabilities."

Furthermore, the academicians developed a tool called SkyWalker that can automatically vet such cloud backends and even provide remediation strategies, which they will provide to developers for free.

"This paper presents SkyWalker, a pipeline to automatically vet the backends that mobile apps contact and provide actionable remediation," the report states. "For an input APK, SkyWalker extracts an enumeration of backend URLs, uses remote vetting techniques to identify software vulnerabilities and responsible parties, and reports mitigation strategies to the app developer. Our findings suggest that developers and cloud providers do not have a clear understanding of responsibilities and liabilities in regards to mobile app backends that leave many vulnerabilities exposed."

A "Mobile Backend Security Assessment" site has been created, but still bears the "Coming soon" advisory, along with the description: "Mobile Backend Vetting, simplifying security assessments for mobile app developers."

The paper states that the free-to-use SkyWalker Web service initially supports only Android apps, but can be extended to support others, such as iOS. The paper didn't say exactly when the site will become active.

About the Author

David Ramel is an editor and writer for Converge360.