While public API keys, such as that of Facebook and LinkedIn, are intentionally made available for other apps to verify user identities, most apps use private keys that need to be kept secure, the report explains.
Most hackers initiate an attack with credential thefts. To steal the access keys or login credentials, they employ phishing attacks, deploy malware to sort and filter usernames and passwords or segregate and pick secret keys from GitHub, where developers might accidentally expose AWS keys.
Accounts associated with a website can be hacked, complete servers could be terminated, and entire datasets and databases could be wiped out. What happens with the data? Fake calls, phishing e-mails, identity thefts — all aimed at targeting people for money or harassing them in other ways. Furthermore, use of the same password across websites and apps helps the hackers’ cause.
The author writes about the potential losses related to the breaches. AWS keys are routinely left off or are hard coded in the mobile applications. Here’s a graphic from the write up:
If you look carefully, these are some commonly used applications – therefore have a profound impact on the user privacy. Besides, company access can be easily taken from these compromised sources and hence require a careful scrutiny.
Stolen personal information paves way for phishing scams. Attackers devise phishing schemes to lure unsuspecting users into sharing confidential information such as credit or debit card details. With this information in hand, cybercriminals can also extort victims.
My concern is about the healthcare applications that are proliferating everywhere and there should be a policy to ban the “analytics”; especially as they increase the attack surface area. The analytics are installed as part of the “SDK’s” or the “kits” to understand its usage and in most cases- deliver advertisements. I haven’t seen any action been taken on the “app exchanges for healthcare”- it opens its own can of worms. Ideally, the application should be open sourced and audited. I often find the claims of independent verification superfluous because you are paying the audit company to give you a perfect bill of health. It should be an open repository (like a trust) where consumers can install it away from the application stores.
This remains an area of ongoing interest and I will definitely revisit it.