App developers exposed millions of Android users’ data

Mobile app developers potentially exposed the private data of over 100 million Android users, by not following best security practices when integrating third party cloud-services into their applications.

Researchers from Check Point recently analysed 23 Android apps, including a screen recorder, taxi app, fax service, logo maker and astrology software, and discovered that the developers exposed their own and users‘ data through a variety of misconfigurations in third party cloud services.

In 13 apps, sensitive details were publicly available in unsecured cloud setups.

The sensitive data included chat messages, emails, location details, gender, date of birth, phone numbers, passwords, photos and payment details. Cyber criminals could easily use this information to carry out fraud, identity-theft and service swipes.

In a blog post, the researchers said they found sensitive details in unprotected real-time databases used by 23 apps, with installations ranging from 10,000 to 10 million.

Some of those apps were found in the Google Play store had more than 10 million downloads, including Astro Guru, Logo Maker and Screen Recorder. The latter exposed cloud storage keys, giving access to users‘ screenshots from the device.

Some apps also exposed data related to their developers, such as credentials for the app‘s push notification service. Malicious actors can exploit push services to send fake alerts to app users.

Another Android app, iFax, exposed cloud storage keys, enabling access to a database containing fax transmissions and other documents from more than 500,000 users.

With the taxi service app T‘Leva, the Check Point researchers were able to access all messages sent between customers and drivers, names, phone numbers and a variety of other details, by sending one simple request to the database.

‘This misconfiguration of real-time databases is not new, but to our surprise, the scope of the issue is still far too broad and affects millions of users. All our researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorised access from being processed,‘ the researchers said.

‘Most of the apps we have found had ‘read‘ permissions and ‘write‘ permissions. This alone could compromise an entire application, not even considering the hit to the developer‘s reputation, their user-base, or even their relationship with the hosting market.‘

Last year, research by Comparitech’s cyber security team found that nearly six per cent of all Google Cloud buckets are vulnerable to unauthorised access due to misconfiguration issues.

Of the 2,064 open Google Cloud buckets Comparitech researchers found, 131 were misconfigured and vulnerable to unauthorised access.