100m users exposed by misconfigured apps

After examining 23 Android applications, Check Point Research (CPR) noticed mobile app developers potentially exposed the personal data of over 100-million users through a variety of misconfigurations of third party cloud services.

The research was carried out by a team at CPR that included Aviad Danin, R&D team leader, Aviran Hazum, analysis and response team leader, Bogdan Melnykov, reverse engineer, Dana Tsymberg, cybersecurity analyst, and Israel Wernik, cybersecurity researcher, who published a blog with the findings after first alerting Google and the app developers.

Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes.

According to the blog, CPR discovered publicly-available sensitive data from real-time databases in 13 Android applications, with the number of downloads that each app has ranging from 10 000 to 10-million.

In addition, the researcher found push notification and cloud storage keys embedded in a number of Android applications themselves.

Examples of vulnerable applications include those for astrology, taxi, logo-maker, screen recording and a fax app that left users and developers vulnerable to malicious actors.

Modern cloud-based solutions have become the new standard in the mobile application development world. Services such as cloud-based storage, realtime databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, developers often overlook the security aspect of these services, their configuration, and their content.

CPR recently discovered that, in the last few months, many application developers have left their data and millions of users’ private information exposed by not following best practices when configuring and integrating third party cloud-services into their applications. The misconfiguration put users’ personal data and developers’ internal resources, such as access to update mechanisms, storage and more, at risk.

Common errors that expose users’ data found by CPR include misconfiguring realtime databases, misused push notifications, and unsecured cloud storage.