‘Eavesdropper’ vulnerability strikes hundreds of mobile apps using Twilio

Careless coding by mobile developers using Twilio’s application programming interface (API) has left hundreds of enterprise communication apps vulnerable to snooping and monitoring, security researchers revealed Thursday.

Apps impacted by the newly-named Eavesdropper vulnerability total nearly 700, including one used for secure communications by a federal law enforcement agency, according to research from the Appthority Mobile Threat Team.

Others affected include an app that enables enterprise sales teams to record audio and annotate discussions in real-time, and branded white label navigation apps for customers such as AT&T and U.S. Cellular. More than 170 affected and vulnerable apps are currently live in app stores today, Appthority says.

Downloads of vulnerable Android apps total 180 million. Vulnerable apps expose historic and current data including calls, call records, call audio recordings, and SMS and MMS text messages, according to Appthority.

Twilio says there’s no evidence the issue has been exploited in the wild.

“Eavesdropper is caused by developers carelessly hard-coding their credentials into mobile applications,” reads a release from Appthority.

A spokesman for Twilio told CyberScoop that hard-coding API credentials “is a poor coding practice, well-known to both the security and API industries.

“We’ve discouraged this practice for some time throughout our documentation and developer outreach,” said the company’s Senior Public Relations Manager Trak Lord, adding that the apps affected were “a very small fraction” of Twilio accounts, and that many “had long been decommissioned by their developers.”

The company has reached out to all developers with affected apps, he said and is working “to rotate their API keys and implement secure solutions.”

Appthority’s report notes that “developers who hard code credentials in one service have high propensity to make the same error with other services, such as between app tools, in this instance, and data storage like Amazon S3.”

“Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning,” said Seth Hardy, Appthority director of security research.

“An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data,” added Hardy.

Appthority researchers first discovered the Eavesdropper vulnerability in April and notified Twilio in July about the exposed accounts.