GPS, food delivery, photo editing, alarm clock, I have an app for that. You probably do, too. We rely on apps of all kinds to accomplish simple everyday tasks. The utility of these many apps often leads us to overlook some of the security concerns.
Luckily, there are security researchers that we can trust to discover errors and breaches that we, as the user, would never know. Unfortunately, once security experts find coding errors it may be too late for millions of smartphone users that have already been exposed.
Millions of smartphone users may be affected
Earlier this week, cybersecurity firm Appthority discovered that developers had mistakenly coded the access credentials for an SMS and call communications tool called Twilio. By reviewing the code in the affected apps, hackers can steal hard-coded developer credentials and gain access to all data sent through the service.
Over 680 apps may be linked to the 85 affected Twilio accounts. Among the affected apps is the AT&T Navigator app that comes pre-installed on many Android phones, as well as several other navigation apps that have been installed over 180 million times by both Android and Apple users.
The exploit deemed “Eavesdropper” may also present a risk to enterprises that use the Twilio client for in-house communications. It is impossible to know which apps and businesses are affected by the 85 developer credentials that were exposed. That is because Appthority did not publish a full list of affected apps in a cautious effort to not tip off potential hackers to the exploit.
So what can hackers do with this new open window? It can be potentially devastating. Hackers can pose as Twilio developers and gain access to every text, call log and voice recordings for every app that the accounts have created. That means data on 180 million smartphones could be up for grabs.
This vulnerability also has the potential to give hackers access to any calls or texts that are made through the Twilio system, giving them the ability to eavesdrop on conversations between developers about upcoming changes or newly discovered bugs. That could allow developers to inadvertently expose new vulnerabilities in an app before they have had time to fix them.
The scary part is that there’s nothing consumers can do to protect their information. It’s all up to the app developers at this time. This security exploit should serve as a yellow flag to developers, warning them to be more cautious of the information they share in the future. You never know who is listening.