Check Point Research (CPR) discovered that mobile app developers potentially exposed personal data of over 100 million users through a few misconfigurations of third-party cloud providers. Personal data included email addresses, chat messages, location, passwords, and images and could be gathered from 23 Android apps.
In the world of mobile application development, modern cloud-based solutions have become the new standard. Cloud-based storage, real-time databases, notification management, analytics, and other services are only a click away from being incorporated into applications. On the other hand, developers often ignore the security aspect of these services, the setup, and, of course, the content.
CPR recently discovered that, in recent months, many developers left data and private information of millions of users exposed by failing to follow best practices when configuring and integrating third-party cloud services into their applications.
Main findings of CPR’s research:
– Discovered publicly accessible sensitive data from real-time databases in 13 Android apps, with downloads ranging from 10,000 to 10 million.
– Discovered push notification and cloud storage keys embedded in a variety of Android applications.
– Offers examples of vulnerable apps, including astrology, taxi, logo-maker, screen recording, and fax app, that exposed users and developers to malicious actors.
Misconfiguring Real-Time Databases
Real-time databases allow developers to store data in the cloud while ensuring that it is synchronized in real-time with every connected client. The service addresses one of the most common problems in application creation while ensuring that the database is compatible with all client platforms.
What happens, however, if the developers fail to configure the real-time database with a simple and basic function like authentication?
This form of real-time database misconfiguration is not new, and it continues to be widespread, affecting millions of users. The only thing CPR researchers had to do was try to access the data. There was nothing in place to prevent unauthorized entry.
Researchers were able to recover a large amount of confidential information when reviewing the material on the publicly accessible database, including email addresses, passwords, private chats, computer location, user identifiers, and more. If a bad actor gains access to this data, it may lead to service-swipes (using the same username and password on different services), fraud, and/or identity theft.
How to protect yourself
Mobile devices can be targeted in a variety of ways. This includes the possibility of malicious software, network-level attacks, and the exploitation of vulnerabilities in smartphones and mobile operating systems.
Since cybercriminals have increased their focus on mobile devices as their importance has grown, it’s time to consider protection. An effective mobile threat protection solution must be capable of detecting and responding to a wide range of attacks while maintaining a positive user experience.