Mobile App Developers Exposed 100 Million Android Users’ Data
The Check Point Research team has recently discovered that in the last few months, mobile app developers potentially exposed the private data of over 100 million Android users, by not following best security practices when integrating third-party cloud services into their applications.
The Check Point researchers analyzed 23 Android apps, including a screen recorder, a fax service, a logo maker, a taxi app, and an astrology app, and discovered that the developers exposed both their own and users’ data as a result of misconfigurations in third-party cloud services.
While investigating the content on the publicly available database, we were able to recover a lot of sensitive information including email addresses, passwords, private chats, device location, user identifiers, and more. If a malicious actor gains access these data it could potentially result in service-swipes (ie. trying to use the same username-password combination on other services), fraud, and identity theft.
In 13 of the 23 apps, sensitive details were publicly available in unsecured cloud setups.
The sensitive data included chat messages, emails, location details, gender, date of birth, phone numbers, passwords, photos, and payment details. Threat actors could easily use this information to carry out fraud, identity theft, and service swipes.
Some of those apps, including Astro Guru, Logo Maker, and Screen Recorder, were found in the Google Play store and had more than 10 million downloads. Screen Recorder exposed cloud storage keys, giving access to users’ screenshots from the device.
Images Source: Check Point Research
Other apps exposed data related to their developers, such as credentials for the app’s push notification service. Cybercriminals can exploit push services to send fake alerts to app users.
While the data of the push notification service is not always sensitive, the ability to send notifications on behalf of the developer is more than enough to lure malicious actors. Imagine if a news-outlet application pushed a fake news entry notification to its users that directed them to a phishing page requesting that they renew their subscription. Since the notification originated from the official app, the users will not suspect a thing, as they are sure that this notification was sent by the developers.
iFax, another Android app, exposed cloud storage keys, enabling access to a database containing fax transmissions and other documents from over 500,000 users.
The researchers were able to access all messages sent in the taxi service app T’Leva between customers and drivers, and also names, phone numbers, and other details, by sending one simple request to the database.
Image Source: Check Point Research
This misconfiguration of real-time databases is not new, but to our surprise, the scope of the issue is still far too broad and affects millions of users. All our researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorized access from being processed.
Although misusing real-time databases, notification managers, and storage is not uncommon, it is concerning that such popular apps don’t apply basic security practices to protect their users and data.