(In-)Security of Backend-As-A-Service

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration).

Smartphone applications frequently need to store data remotely. From a developer's point of view, setting up and maintaining back-ends, however, is time-consuming and error-prone. Therefore, commercial cloud-based data storage solutions from Backend-As-A-Service (BaaS) providers such as the ones from Amazon, Google, and Facebook have become omnipresent. They provide simple APIs for common tasks such as managing database records or files. Adding a few library classes and writing three or four lines of code is sufficient to make an interaction between the cloud and the app, and, e.g., store credit card data. While this model is convenient, one might wonder whether it's really secure in practice (spoiler: it's not). In this study, we will show that many BaaS solutions are completely insecure and attackers have no difficulties in breaking into the developer's backend. We investigated about two million Android apps and the results were quite shocking. We were able to access more than 56 million sensitive user records stored in the cloud by heavily misconfigured BaaS solutions. These records contained all sorts of sensitive data processed by Android apps: medical information, credit card data, photos, voice-, audio- and video-records, money transaction records, etc. Some apps even contained credentials that gave us full control over the remote storage. Adversaries could hijack Amazon S3-Buckets which gives them the ability to modify sensitive customer databases, add malicious code to well-known websites or directly run malware on the cloud at the app developer's expense. In order to find and verify these insecure BaaS solutions in Android applications, we developed an automatic exploit generator that extracts credentials from the app, even if they are obfuscated, and provides access to the respective BaaS backend.


Presenters:

  • Siegfried Rasthofer - TU Darmstadt / CASED
    Siegfried Rasthofer is a third year PhD student at the TU Darmstadt (Germany) and his main research focus is on applied software security on Android applications. Together with his colleagues, he developed different tools that combine static and dynamic code analysis for security purposes. He is also an active bug hunter in the context of Android.
  • Steven Arzt - TU Darmstadt / CASED
    Steven Arzt is a third year PhD student in Eric Bodden's research group (SSE - Secure Software Engineering Group) at the TU Darmstadt / EC SPRIDE. His focus is mainly on static analysis, both on concrete applications and on the engines and techniques in the background. For the last few years, he has maintained the Soot static analysis framework and developed the FlowDroid open-source static data flow tracker.

Links:

Similar Presentations: