Mobile app developers potentially exposed the personal data of over 100 million users through misconfigurations of third party cloud services, Check Point Research (CPR) revealed.
Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes, the report said
CPR, after examining 23 Android applications, discovered publically available sensitive data from real-time databases in 13 Android applications, with the number of downloads that each app has ranging from 10,000 to 10 million.
CPR found push notification and cloud storage keys embedded in a number of Android applications themselves.
CPR provides examples of vulnerable applications: an astrology, taxi, logo-maker, screen recording and a fax app that left users and developers vulnerable to malicious actors.
Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content.
Many application developers have left their data and millions of users’ private information exposed by not following best practices when configuring and integrating third party cloud-services into their applications.
Real-time databases allow application developers to store data on the cloud, making sure it is synchronized in real-time to every connected client. This service solves one of the most encountered problems in application development, while making sure that the database is supported for all client platforms.
This misconfiguration of real-time databases is not new, and continues to be widely common, affecting millions of users. All CPR researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorized access from happening.
CPR researchers found that Astro Guru, a popular astrology, horoscope and palmistry app with over 10 million downloads, has this misconfiguration. After users input their personal information such as their name, date of birth, gender, location, email and payment details, Astro Guru provides them a personal astrology and horoscope prediction report. Imagine exposing sensitive data for a horoscope prediction!
Through T’Leva, a taxi app with over fifty thousand downloads, CPR researchers were able to access chat messages between drivers and passengers and retrieve users full names, phone numbers, and locations (destination and pick-up) – all by sending one request to the database.
Push notifications are often used to flag new available content, display chat messages, emails, and much more. Most push notification services require a key (sometimes, more than one) to recognize the identity of the request submitter. When those keys are just embedded into the application file itself, it is very easy for hackers to take control and gain the ability to send notifications which might contain malicious links or content to all users on behalf of the developer.
Imagine if a news-outlet application pushed a fake-news entry notification to its users directing them to a phishing page. Since the notification originated from the official app, the users would assume the notification was legitimate and sent by the news outlet and not hackers.
Cloud storage on mobile applications is a practice that has skyrocketed in the last few years. It allows access to files shared by either the developer or the installed application. Here are two examples of apps that CPR researchers found on Google Play:
With over 10 million downloads, the “Screen Recorder” app is used to record the user´s device screen and store the recordings on a cloud service. While accessing screen recordings through the cloud is a convenient feature, there can be serious implications if developers safeguard users’ private passwords on the same cloud service that stores the recordings. With a quick analysis of the application file, CPR researchers were able to recover the mentioned keys that grant access to each stored recording.
The second app, “iFax”, not only had the cloud storage keys embedded into the app, but also stored all fax transmissions there. With just analyzing the app, a malicious actor could gain access to any and all documents sent by the 500,000 users who downloaded this application.
CPR approached Google and each of these apps´ developers prior to the publication of this blog to share our findings. A few of the apps have changed their configuration.
Mobile devices can be attacked via different ways. This includes the potential for malicious apps, network-level attacks, and exploitation of vulnerabilities within devices and the mobile OS. As mobile devices become increasingly important, they have received additional attention from cybercriminals.
Check Point Harmony Mobile is the market-leading Mobile Threat Defense (MTD) and Mobile App Reputation Service (MARS) solution, providing the widest range of capabilities to help you secure your mobile and the data on it.