The researchers identified more than 1,600 vulnerabilities in the support ecosystem behind the top 5,000 free apps available in the Google Play Store. Affecting multiple app categories, these vulnerabilities could allow hackers to break into databases that include personal information – and perhaps into users' mobile devices.
In an attempt to mitigate the potential damage from hackers and to improve the security of their mobile apps, the researchers have created an automated system called SkyWalker to vet the cloud servers and software library systems. SkyWalker can examine the security of the servers supporting mobile applications, which are often operated by cloud hosting services rather than individual app developers.
"A lot of people might be surprised to learn that their phone apps are communicating with not just one, but likely tens or even hundreds of servers in the cloud," said Brendan Saltaformaggio, an assistant professor in Georgia Tech's School of Electrical and Computer Engineering. "Users don't know they are communicating with these servers because only the apps interact with them and they do so in the background. Until now, that has been a blind spot where nobody was looking for vulnerabilities."
The study discovered 983 instances of known vulnerabilities and another 655 instances of zero-day vulnerabilities spanning across the software layers – operating systems, software services, communications modules and web apps – of the cloud-based systems supporting the apps. It is still not known whether attackers could get into individual mobile devices connected to vulnerable servers and investigation along this line is still being conducted.
"These vulnerabilities affect the servers that are in the cloud, and once an attacker gets on the server, there are many ways they can attack," Saltaformaggio said. "It's a whole new question whether or not they can jump from the server to a user's device, but our preliminary research on that is very concerning."