Eavesdropping Apps: Coding Error May Allow Hackers To Intercept Texts

A simple coding error made in hundreds of apps may have exposed as many as 180 million smartphone users to having their text messages and phone conversations intercepted by hackers, security researchers warned.

The warning comes from experts at the cybersecurity firm Appthority, who spotted an error plaguing as many as 685 mobile apps—including one used for secure communications by a federal law enforcement agency—and would allow hackers to access user data sent through the affected apps.

The issue, which has been dubbed Eavesdropper, stems from the use of an application programming interface (API) from Twilio. The API requires authentication, and some developers hard-code the credentials for the API into the mobile application—a discouraged coding practice that opens up the app to the Eavesdropper vulnerability.

When the credentials are hard-coded into the app, it is possible for an attacker to hijack those credentials by examining the app’s code. Using the stolen credentials, a hacker could bypass authentication checks and steal user data handled by Twilio and other third-party services.

Because Twilio is commonly used to handle text messaging and audio calls in mobile apps, the vulnerability opens users up to the possibility that someone may hijack messages and call records or spy on their conversations.

Eavesdropper is an especially troublesome problem for a number of reasons. First, most users are likely unaware of what API their mobile apps use to handle certain features like texts and calls so it is unlikely the average person would be able to spot if an app they are using is vulnerable.

Secondly, the issue has nothing to do with Twilio or it’s API; it’s an issue that is entirely created by the app developer. If they hard-code credentials, be it on accident or out of an act of laziness or malice, it is the user who suffers.

Even more troublesome is the fact that a mistake by one developer may affect many different apps. Appthority found issues in 685 apps that were linked to 85 affected Twilio accounts, suggesting that a hacker could steal the credentials from one app and could use it to compromise a number of other apps.

The researchers also warned that credentials used by at least 902 app developer accounts were found stored in Amazon Web Services servers. The credentials could potentially be used to access app and user data stored on Amazon servers.

More than 170 apps vulnerable to the Eavesdropper are still live in app stores including the Google Play Store and Apple’s App Store. Among those at risk are an app for enterprise sales teams to record and annotate discussions in real time and branded navigation apps for customers of AT&T and U.S. Cellular.

Twilio said the company has found no evidence to suggest the Eavesdropper vulnerability has been exploited in the wild or that hackers have used credentials hard-coded into apps to hijack user data, but is working with developers to change the credentials on affected accounts.