Thousands of Android and iOS Apps Leak Data from Cloud Storage

According to Zimperium, 14% of mobile apps that use cloud services for data storage expose information that can be exploited for fraud or attacks on corporate networks. The main cause of these issues is misconfigured cloud containers by app developers.

Modern mobile applications often store usage-related data on specialized cloud services. Access to this information can occur in various ways—by downloading static files, querying databases, or through APIs. Unfortunately, by relying on service providers, app developers often overlook a crucial aspect: server-side security.

Zimperium’s statistics show that the most popular cloud storage services among developers are Amazon Web Services (AWS), Microsoft Azure, Google Storage, and Google Firebase. These providers offer access to cloud container settings and detailed usage instructions.

However, the research found that app creators rarely take advantage of these features and instead stick with default settings. Such negligence can make trusted information easily accessible to attackers.

To assess the scale of the problem, Zimperium experts analyzed 1.3 million different Android and iOS apps. They discovered that 14% of these apps use insecure cloud access policies and may leak data to third parties.

What Information Is at Risk?

The following types of data are particularly vulnerable to exposure:

• Personally identifiable information (PII) of users
• Data valuable to fraudsters, such as images of receipts with purchase details, registration session IDs, client IDs, and payment card tokens
• IP addresses and details of the infrastructure in use, including server scripts, SSH keys, server configuration files, installation files, and in some cases—even passwords for payment terminals

These mistakes are most commonly made by developers of business apps, shopping apps, social media clients, data transfer applications, and specialized tools.