Light Dark
November 18, 2015 By Shane Schick 2 min read

App developers love using backend-as-a-service (BaaS) companies to store and host the data they collect from users, but researchers recently warned the way they do so could be putting sensitive data in front of the prying eyes of cybercriminals.

(In)Security of Backend-as-a-Service,” a paper presented at the recent Black Hat Europe conference, showed how hard-coded credentials in many iOS and Android apps could be easily removed to provide access to sensitive data. As part of their study, the researchers published a tool called HAVOC to help spot apps where BaaS connections might introduce security risks. Close to 19 million records and 56 million pieces of data were discovered in a review of 2 million apps.

To some extent, the very ease of using BaaS services is the same reason they pose security threats. As Computerworld noted, app developers can quickly sign up and download a software development kit (SDK) to start using third-party providers to store information in the cloud and manage things like push notifications. The research revealed that there is a systemic mistake being made: using primary BaaS credentials as access keys. This puts cybercriminals much closer to sensitive data than they would hope to get otherwise.

For example, SecurityWeek reported that researchers were quickly able to see personally identifiable information such as dates of birth, phone numbers, email addresses and locations. Even worse, it’s possible for third parties to modify sensitive data they obtain through BaaS services depending on the kind of mobile app in use. This could open up even more security problems if attackers start to exploit these holes and tamper with financial transaction records, social media profile details and so on.

Of course, a lot of consumer mobile apps are made by independent developers. As more large companies and brands create apps for personal or even business use, they may approach BaaS offerings a little differently and use more security-focused default credentials that would protect sensitive data. In the meantime, The Register suggested that ongoing education for the developer community should become a priority for companies like Amazon and Facebook, as should vulnerability scanning before apps are submitted to app stores.

 |  |  |  | 
Shane Schick
Writer & Editor

More from

January 30, 2025

When ransomware kills: Attacks on healthcare facilities

4 min read - As ransomware attacks continue to escalate, their toll is often measured in data loss and financial strain. But what about the loss of human life? Nowhere is the ransomware threat more acute than in the healthcare sector, where patients’ lives are literally on the line.Since 2015, there has been a staggering increase in ransomware attacks on healthcare facilities. And the impacts are severe: Diverted emergency services, delayed critical treatments and even fatalities. Meanwhile, the pledge some ransomware groups made during…

January 29, 2025

AI and cloud vulnerabilities aren’t the only threats facing CISOs today

6 min read - With cloud infrastructure and, more recently, artificial intelligence (AI) systems becoming prime targets for attackers, security leaders are laser-focused on defending these high-profile areas. They’re right to do so, too, as cyber criminals turn to new and emerging technologies to launch and scale ever more sophisticated attacks.However, this heightened attention to emerging threats makes it easy to overlook traditional attack vectors, such as human-driven social engineering and vulnerabilities in physical security.As adversaries exploit an ever-wider range of potential entry points…

January 28, 2025

4 trends in software supply chain security

4 min read - Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.Expect to see more software supply chain attacks moving forward. According to ReversingLabs' The State of Software Supply Chain Security 2024 study, attacks against the software…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature