Google, Apple and the BaaS providers have been contacted about the issue since April, and in turn notified some of the developers whose apps were affected. However, as of Nov. 12, access to over 52 million data items was still freely available with the exposed credentials, the researchers said.
Some of this data is in limbo, because the apps that created it don’t even exist anymore as their developers moved on to other things. The service providers can’t simply delete it either, because the accounts are still active.
This suggests that developers either don’t care or don’t know how to fix the problem.
Some BaaS providers, like Amazon and Parse, offer more advanced access control and the ability to authenticate individual app users with the back-end services instead of the whole app. However these can be hard to implement.
In some cases, implementing such identity management is so complicated that it defeats the primary goal of BaaS frameworks, which is to simplify developers’ jobs.
It’s no wonder that developers choose the easy route, which is also the insecure one, the researchers said.
While this is ultimately the developers’ problem, BaaS providers could improve their documentation so that even app creators with no security education can understand how to use the technology and the risks they're exposed to if they don’t do it properly. Providers could even force developers to take action by detecting apps that access their services using root access keys and displaying a warning, the researchers said.