Appthority, the enterprise mobile threat protection company, announced news on Thursday (Nov. 9) that it published research on its recent discovery of a so-called Eavesdropper vulnerability, in which hackers can intercept texts, voice messages and other user data from millions of smartphones through their mobile apps.
In a press release, the company said the cyberattack vulnerability is caused by “developers carelessly hard coding their credentials in mobile applications that use the Twilio Rest API or SDK, despite best practices the company clearly outlines in its documentation.” Twilio, said Appthority, has reached out to all developers with affected apps and is actively working to secure their accounts.
According to the company, Appthority mobile security researchers have identified this as a real and ongoing threat affecting close to 700 apps in enterprise mobile environments, over 170 of which are live in the official app stores today. Affected Android apps have been downloaded up to 180 million times, the company said.
What’s more, the company said the issue is not specific to developers who create apps with Twilio. Hard coding of credentials is a common developer error that increases the security risks of mobile apps. Appthority researchers are finding that developers who hardcode credentials in one service are likely to make the same error with other services.
Examples of apps with the Eavesdropper vulnerability include an app for secure communication for a federal law enforcement agency, an app that enables enterprise sales teams to record audio and annotate discussions in real-time and branded and white label navigation apps for customers, such as AT&T and U.S. Cellular, the mobile threat protection company stated in its press release.
“Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning,” said Seth Hardy, Appthority director of Security Research in the release. “An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data.”