Listen Download Podcast
  • RFI English News flash 04h00 - 04h10 GMT Mon-Fri
    News bulletin 11/17 04h00 GMT
  • Paris Live AM 04h10 - 04h30 GMT Mon-Fri
    Features and analysis 11/17 04h10 GMT
  • RFI English News flash 05h00 - 05h10 GMT Mon-Fri
    News bulletin 11/17 05h00 GMT
  • Paris Live AM 05h10 - 05h30 GMT Mon-Fri
    Features and analysis 11/17 05h10 GMT
  • RFI English News flash 06h00 - 06h10 GMT Mon-Fri
    News bulletin 11/17 06h00 GMT
  • Paris Live AM 06h10 - 06h30 GMT Mon-Fri
    Features and analysis 11/17 06h10 GMT
  • RFI English News flash 06h30 - 06h33 GMT Mon-Fri
    News bulletin 11/17 06h30 GMT
  • Paris Live AM 06h33 - 06h59 GMT Mon-Fri
    Features and analysis 11/17 06h33 GMT
  • RFI English News flash 07h00 - 07h10 GMT Mon-Fri
    News bulletin 11/17 07h00 GMT
  • RFI English News flash 07h30 - 07h33 GMT Mon-Fri
    News bulletin 11/17 07h30 GMT
  • RFI English News flash 14h00 - 14h03 GMT Sat-Sun
    News bulletin 11/12 14h00 GMT
  • RFI English News flash 14h00 - 14h06 GMT Mon-Fri
    News bulletin 11/17 14h00 GMT
  • Paris Live Weekend 14h03 - 14h30 GMT Sat-Sun
    Features and analysis 11/12 14h03 GMT
  • Paris Live PM 14h06 - 14h30 GMT Mon-Fri
    Features and analysis 11/17 14h06 GMT
  • RFI English News flash 14h30 - 14h33 GMT Mon-Fri
    News bulletin 11/17 14h30 GMT
  • Paris Live PM 14h33 - 14h59 GMT Mon-Fri
    Features and analysis 11/17 14h33 GMT
  • RFI English News flash 16h00 - 16h03 GMT Sat-Sun
    News bulletin 11/12 16h00 GMT
  • RFI English News flash 16h00 - 16h06 GMT Sat-Sun
    News bulletin 11/17 16h00 GMT
  • Paris Live Weekend 16h03 - 16h30 GMT Sat-Sun
    Features and analysis 11/12 16h03 GMT
  • RFI English News flash 16h30 - 16h33 GMT Mon-Fri
    News bulletin 11/17 16h30 GMT
  • Paris Live Weekend 16h33 - 17h00 GMT Sat-Sun
    Features and analysis 11/12 16h33 GMT
To take full advantage of multimedia content, you must have the Flash plugin installed in your browser. To connect, you need to enable cookies in your browser settings. For an optimal navigation, the RFI site is compatible with the following browsers: Internet Explorer 8 and above, Firefox 10 and +, Safari 3+, Chrome 17 and + etc.
General

Coding errors in 685 mobile-apps leave 180 million smartphone users vulnerable

media A banner for communications software provider Twilio Inc., hangs on the facade of the New York Stock Exchange (NYSE) to celebrate the company's IPO in New York City, U.S REUTERS/Brendan McDermid

Up to 180 million smart phone users may have some of their text messages and calls intercepted by hackers because of a coding error that affects at least 685 mobile apps cyber security experts say.

Developers have mistakenly coded credentials for accessing services provided by Twilio Inc, allowing hackers to access personal credentials by reviewing the code in the apps, then gain access to data sent over those services.

Loggings, pawwsords compromised

The sheer number of apps affected by this is quite significant according to cyber security experts.

As a result it is likely that hackers have access to loggins and passwords, the cyber equivalent of handing them the keys to your house.

Another worrying aspect, experts say, is that we do not even have the complete list of the apps, so no one eally knows whether they may be hacked or not.

It really depends on the types of application that have been affected.

"Some of the claims of the security company are that call recordings, the content of call recordings could be accessed, which is quite concerning from a privacy point of view," says David Rogers, the CEO of Copperhorse, which provides consultancy for mobile security.

"But really in terms of the impact, Twilio have said that they're going to act very quickly to revoke the apps that have been affected and so the window of opportunity for malicious hackers is very small."

Rogers adds that we do not know how long this has been open, some saying it might have been the case since 2011.

"And that is of some concern. So Twilio really need to give some confidence to users and those app developers need to give confidence to their users that they haven't been exposed for nearly six years."

Beyond Twilio

And the problem is it is not only about the users of the apps themselves, but it goes beyond this.

"If you've been hacked, you've been hacked," says Caroline Borriello from Pradeo, a company which provides mobile security solutions to master applications security.

"The thing is, this is not only the users that have been hacked, it's not the number of users that have been leaked, but it's the people these apps users have called or have sent text messages to, using the Twilio server that have been leaked.

"So people don't know at the end of the day, because people that have been called might not be aware they've been called through this server and that maybe their data is at risk."

Privacy hacked?

"Once you download the application, it's like when you open all the doors to your house, because you are letting the application do want it wants," says Nicolas Arpagian, the Academic Director of the "CyberSecurity Programme" at France's National Institute for Security.

"For instance, once you have an app on your smartphone, and I'm talking about legitimate applications, they are already doing some bizarre things, like taking some elements of your address book, like, looking at where you are, looking at all the information inside your smartphones."

Arpagian says that already implies strong actions against your privacy.

"But when someone is delibarately doing that, who wants to hack your phone, he has access to everything concerning your contacts, your pictures, all the things that you have in your smartphone. This is a very deep way of hacking personal lives of individuals."

Moreover, experts say it is crucial for companies that develop the apps to be more careful.

"There is a lack of transparency. We know now, we are convinced that Google and Apple do not perform technical checks before releasing an application," according to Eric Filiol, the head of Operational Cryptography and Computer Virology lab in France.

"We know that developers are not very efficient at secure programing, they don't use proper tools. In fact, they lust develop so quickly, because there is some sort of pressure, not to say hysteria, in application development, that in fact, all the security aspects, all the security checks are no longer performed.

"So basically, one needs to be extra cautious regarding the apps one downloads, make sure it is from a known website - but even then, there's no guarantee - and try not to rely too much on our smartphones.

Related
 
Sorry but the period of time connection to the operation is exceeded.