To save app developers from having to do the security research they did, the researchers are offering SkyWalker, an analysis pipeline to study mobile backends. Developers will be able to submit their apps to SkyWalker at (https://mobilebackend.vet) and get a report on what it finds.
"SkyWalker will watch how the application communicates with those cloud servers, and then it will try to communicate with the servers to find vulnerabilities," said Alrawi. "This information can give an app developer a heads-up about potential problems before they make their application public."
The researchers studied only applications in the Google Play Store. But applications designed for iOS may share the same backend systems.
"These servers provide backend services for mobile apps that any device could use," Alrawi said.
"These cloud services are essential components of modern mobile apps. They are part of the always-connected world."
For the future, the researchers hope to study how the vulnerabilities could affect smartphone users, and to check on whether the problems they identified have been addressed.
"We are going to keep doing these sorts of studies and will revisit them later to see how the attack landscape has improved," said Saltaformaggio. "We will keep looking for more blind spots that need to be studied. In the new world of smartphones and mobile applications, there are unique problems that need to be rooted out.”
In addition to those already mentioned, the research team included Ruian Duan and Ranjita Pai Kasturi from Georgia Tech and Zhiqiang Lin from The Ohio State University. This work was partially supported by the Air Force Office of Scientific Research (AFOSR) under grant FA9550-14-1-0119 and by National Science Foundation (NSF) awards 1834215 and 1834216. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsoring organizations.