Click to Skip Ad
Closing in...
  1. MyQ Smart Garage Door Opener
    11:06 Deals

    Unreal Prime Day deal gets you a MyQ smart garage opener and a $40 Amazon credit for $17

  2. Prime Day Deals
    09:47 Deals

    Did someone forget to end these 15 epic Prime Day deals?

  3. Amazon Dash Smart Shelf
    15:16 Deals

    I’m obsessed with this Amazon gadget you’ve never heard of – and it&#821…

  4. MyQ Smart Garage Door Opener
    08:37 Deals

    Oops! Prime Day’s best-selling smart home gadget is still down to $17

  5. Prime Day 2021 Deals
    10:22 Deals

    Amazon just revealed its official list of Prime Day 2021 best-sellers

If you use any of these Android apps, your personal data may be exposed

May 22nd, 2021 at 9:01 AM
Android apps

Here we go again — more than 100 million users of almost two dozen Android apps have had their personal data exposed, according to new research from a cybersecurity firm that says it discovered the problem stemmed from the way developers misuse third-party cloud services.

The team at Check Point Research published a report that revealed specific examples of vulnerable applications, including astrology, taxi, screen recording, and fax mobile apps. Among other things, CPR found publicly available sensitive data from real-time databases connected to several Android apps that had garnered between 10,000 and 10 million installations. The personal data included emails, chat messages, passwords, and photos, among other things, and CPR also found push notification and cloud storage keys embedded in many Android apps themselves.

Today's Top Deal The newest Nest Thermostat is down to its lowest price ever at Amazon! List Price:$129.99 Price:$99.98 You Save:$30.01 (23%) Available from Amazon, BGR may receive a commission Buy Now Available from Amazon BGR may receive a commission

“A real-time database is one that works on live and constantly changing data, rather than persistent data that is stored on a disc,” CPR explained in an email about the findings. “App developers depend on real-time databases to store data on the cloud … If a malicious actor gains access to the sensitive data extracted by CPR, it would potentially lead to fraud, identity-theft and service-swipe, which is trying to use the same username-password combination on other services.”

As you can see, with mobile applications having become such a ubiquitous part of our lives, it’s not just the apps themselves that need to be secure. Developers also need to stop overlooking the security aspect associated with services that are also part and parcel of mobile apps, such as cloud-based storage, real-time databases, analytics, and notification management.

Examples of Android apps that CPR cited in this new report are Astro Guru, T’Leva, and Logo Maker. T’Leva, a taxi app, was found to have garnered 50,000 downloads, while the other two — Astro Guru, an astrology app, and Logo Maker, a graphic design app — reached 10 million downloads. In terms of what data CPR found was extracted from each of them, the report identified the following from each app:

  • Astro Guru: Name, date of birth, gender, location, email and payment details
  • T’Leva: Chat messages between drivers and passengers and retrieve users full names, phone numbers, and locations (destination and pick-up)
  • Logo Maker: Email, password, username, user-ID

“Most of the apps we took a look at are still exposing the data now,” said Check Point Software manager of mobile research Aviran Hazum. “Data gathering, especially by a malicious actor, is very serious. Ultimately, victims become vulnerable to many different attack vectors, such as impersonations, identify theft, phishing and service swipes. Our latest research sheds light on a disturbing reality where application developers place not only their data, but their private users’ data at risk.

“By not following best-practices when configuring and integrating third party cloud-services into applications, tens of millions of users’ private data has been exposed.”

The whole report is worth a read here. “This misconfiguration of real-time databases is not new,” it continues, “but to our surprise, the scope of the issue is still far too broad and affects millions of users. All our researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorized access from being processed.”

Today's Top Deal Amazon forgot to end this #1 best-selling Prime Day deal — now just $17! List Price:$29.98 Price:$16.98 You Save:$13.48 (45%) Available from Amazon, BGR may receive a commission Buy Now Available from Amazon BGR may receive a commission

Andy is a reporter in Memphis who also contributes to outlets like Fast Company and The Guardian. When he’s not writing about technology, he can be found hunched protectively over his burgeoning collection of vinyl, as well as nursing his Whovianism and bingeing on a variety of TV shows you probably don’t like.

Popular News