BlackHat2015 Europe has an interesting presentation on Backend-as-a-Service



the image above explains in a picture what the backend is – i.e. an app uses the BaaS SDK (Software Development Kit) functions  to connect into the cloud.

Cloud can be Parse, Cocoafish, StackMob, Kinvey, Cloudmine, AmazonwebServices, BAASBOX, and mobeelizer. These “cloud services” have specific BaaS capabilities that is why the researchers used them in their study.

researchers of the paper:

Siegfried Rasthofer and Steven Arzt  both 3rd year PhD students at TU(Technische Universität) Darmstadt (German university) they both have their specific fields of study in secure software engineering group.


The BaaS connects to iOS, Android, php, javascript, WindowsPhone, and Python applications

Siegfried and Steven have now cataloged all the apps and tried to identify the BaaS connections (functions)using a tool in some cases (Harvester)

Then they tried to extract data with the information they found.


So the question is were they able to extract data without  being the app on the phone?

what type of data?

Car accident info


user-centric location data (GPS coordinates)

birthday info

contact data

phone numbers

valid email addresses

facebook info – users friends, blocked friends

purchase information(what has been purchased)


C&C means command and control = so the app could talk to the legitimate C&C cloud application or a potentially criminal hacker app.

Siegfried and Steven now lay out what they did with their information – as they disclosed this finding to the various cloud providers (facebook, Amazon, Parse, etc)  so they can fix this problem.



How can this happen?  why are we not thinking about this before a big hack comes – it was very fortunate as far as we know – 2 PhD students found this issue.



We must test more:

Use system engineering principles to create a testing regime – Contact Us.


By zafirt

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.