The researchers identified three types of attack that could be made on the backend servers: SQL injection, XML external entity and cross-site scripting, explained Omar Alrawi, a Georgia Tech graduate research assistant and co-first author with Chaoshun Zuo at Ohio State. By taking control of these machines in the cloud, attackers could gain access to personal data, delete or alter information or even redirect financial transactions to deposit funds in their own accounts.
To study the system, Alrawi and Zuo ran applications in a controlled environment on a mobile device that connected to backend servers. They then watched the communications between the device and servers, and repeated the process for all of the applications studied.
"We found that a lot of applications don't encrypt the communications between the mobile app and the cloud service, so an attacker that is between the two points or on the same network as the mobile could get information about the user - their location and user name - and potentially execute password resets," Alrawi said.
The vulnerabilities were not easy to spot. "You have to understand the context through which the app communicates with the cloud server," he said. "These are very deep bugs that cannot be identified by simply scanning and using traditional tools that are used for web application security."
The operators of vulnerable systems were notified of the findings. Concerns about who is responsible for securing those backend servers is one of the issues to come out of the study.
"It's actually a significant problem because of how many different software developers may have their hands in building these cloud servers," Saltaformaggio said. "It's not always clear who is responsible for doing the patching and who is responsible for the vulnerabilities. It's tough to track down these vulnerabilities, but it's also tough to get them patched."