Backend-as-a-Service (BaaS) vendors enable developers to connect back-end cloud infrastructure to their apps and push various services, but security researchers are now casting doubts on how secure these BaaS applications truly are.
At the Black Hat Europe security conference in Amsterdam late last week, researchers from the Technical University and the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, revealed that thousands of applications set up back-end services in a way that could compromise millions of sensitive user-created records, PCWorld reported yesterday (Nov. 16).
BaaS platforms enable developers to easily push notifications, utilize cloud-based database storage and manage user administration and other services all within their apps, but the study results presented by the researchers found that many developers practice the unsafe method of including their primary BaaS access keys inside their apps.
This leaves applications, especially mobile ones, vulnerable since they can be reverse engineered by cybercriminals to allow access to back-end databases and user credentials, PCWorld said.
While running a test on more than 2 million iOS and Android applications to gauge the severity of the problem, the researchers discovered that they were able to extract nearly 1,000 back-end credentials, ultimately providing them with access to more than 18.5 million records containing 56 million data items.
The researchers confirmed they have contacted Google, Apple and BaaS providers about the vulnerability, but as of Nov. 12, the exposed credentials were still allowing access to more than 52 million data items.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More