Mobile threat protection firm Appthority discovered an exploit in almost 700 iOS and Android apps that could expose the private messages and calls of users. The company said that up to 180 million Android devices could be affected, along with an unknown number of iOS devices.
The vulnerability, dubbed Eavesdropper, comes from using the Twilio Rest API or SDK for apps’ communication services. The issue isn’t a problem on Twilio’s side; it’s due to the developers that are using these APIs mistakenly hard coding their credentials into the apps’ code.
“The vulnerability is called Eavesdropper because the developers have effectively given global access to the text/SMS messages, call metadata, and voice recordings from every app they’ve developed with the exposed credentials,” explains Appthority's Michael Bentley.
The company found Eavesdropper on over 685 apps back in April, around 33 percent of which were business-related. They include "an app for secure communication for a federal law enforcement agency, an app that enables enterprise sales teams to record audio and annotate discussions in real-time, and branded and white label navigation apps for customers such as AT&T and US Cellular."
Appthority informed Twilio of Eavesdropper back in July but it’s estimated that the vulnerability has been present since 2011. By the end of August, the number of apps containing the vulnerability had fallen to 75 on Google Play and 102 on the App Store, which is still quite a lot.
To lessen the risk of hacks, Appthority didn’t publish a full list of the apps that are still vulnerable. Twilio is working with developers to change credentials on affected accounts. The company said it has no evidence that hackers have used Eavesdropper to access customers’ data.
Despite Twilio not being at fault, its shares fell almost seven percent following the report’s publication.