BlackHat2015 Europe has an interesting presentation on Backend-as-a-Service
the image above explains in a picture what the backend is – i.e. an app uses the BaaS SDK (Software Development Kit) functions to connect into the cloud.
Cloud can be Parse, Cocoafish, StackMob, Kinvey, Cloudmine, AmazonwebServices, BAASBOX, and mobeelizer. These “cloud services” have specific BaaS capabilities that is why the researchers used them in their study.
researchers of the paper:
Siegfried Rasthofer and Steven Arzt both 3rd year PhD students at TU(Technische Universität) Darmstadt (German university) they both have their specific fields of study in secure software engineering group.
The BaaS connects to iOS, Android, php, javascript, WindowsPhone, and Python applications
Siegfried and Steven have now cataloged all the apps and tried to identify the BaaS connections (functions)using a tool in some cases (Harvester)
Then they tried to extract data with the information they found.
So the question is were they able to extract data without being the app on the phone?
what type of data?
Car accident info
Pictures
user-centric location data (GPS coordinates)
birthday info
contact data
phone numbers
valid email addresses
facebook info – users friends, blocked friends
purchase information(what has been purchased)
C&C means command and control = so the app could talk to the legitimate C&C cloud application or a potentially criminal hacker app.
Siegfried and Steven now lay out what they did with their information – as they disclosed this finding to the various cloud providers (facebook, Amazon, Parse, etc) so they can fix this problem.
How can this happen? why are we not thinking about this before a big hack comes – it was very fortunate as far as we know – 2 PhD students found this issue.
We must test more:
Use system engineering principles to create a testing regime – Contact Us.