Here we go again — more than 100 million users of almost two dozen Android apps have had their personal data exposed, according to new research from a cybersecurity firm that says it discovered the problem stemmed from the way developers misuse third-party cloud services.
The team at Check Point Research published a report that revealed specific examples of vulnerable applications, including astrology, taxi, screen recording, and fax mobile apps. Among other things, CPR found publicly available sensitive data from real-time databases connected to several Android apps that had garnered between 10,000 and 10 million installations. The personal data included emails, chat messages, passwords, and photos, among other things, and CPR also found push notification and cloud storage keys embedded in many Android apps themselves.
“A real-time database is one that works on live and constantly changing data, rather than persistent data that is stored on a disc,” CPR explained in an email about the findings. “App developers depend on real-time databases to store data on the cloud … If a malicious actor gains access to the sensitive data extracted by CPR, it would potentially lead to fraud, identity-theft and service-swipe, which is trying to use the same username-password combination on other services.”
As you can see, with mobile applications having become such a ubiquitous part of our lives, it’s not just the apps themselves that need to be secure. Developers also need to stop overlooking the security aspect associated with services that are also part and parcel of mobile apps, such as cloud-based storage, real-time databases, analytics, and notification management.
Examples of Android apps that CPR cited in this new report are Astro Guru, T’Leva, and Logo Maker. T’Leva, a taxi app, was found to have garnered 50,000 downloads, while the other two — Astro Guru, an astrology app, and Logo Maker, a graphic design app — reached 10 million downloads. In terms of what data CPR found was extracted from each of them, the report identified the following from each app:
- Astro Guru: Name, date of birth, gender, location, email and payment details
- T’Leva: Chat messages between drivers and passengers and retrieve users full names, phone numbers, and locations (destination and pick-up)
- Logo Maker: Email, password, username, user-ID
“Most of the apps we took a look at are still exposing the data now,” said Check Point Software manager of mobile research Aviran Hazum. “Data gathering, especially by a malicious actor, is very serious. Ultimately, victims become vulnerable to many different attack vectors, such as impersonations, identify theft, phishing and service swipes. Our latest research sheds light on a disturbing reality where application developers place not only their data, but their private users’ data at risk.
“By not following best-practices when configuring and integrating third party cloud-services into applications, tens of millions of users’ private data has been exposed.”
The whole report is worth a read here. “This misconfiguration of real-time databases is not new,” it continues, “but to our surprise, the scope of the issue is still far too broad and affects millions of users. All our researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorized access from being processed.”
