Check Point Research (CPR) has found sensitive data from mobile applications unprotected and available to anyone with a browser.
By searching “VirusTotal”, CPR found 2 113 mobile applications whose databases were unprotected in the cloud and exposed, all throughout the course of a three-month research study.
The mobile applications ranged from those with more than 10 000 downloads to some with more than 10-million downloads.
Sensitive data found exposed by CPR included personal family photos, token IDs on a healthcare applications, data from cryptocurrency exchange platforms and more.
In one example, CPR found over 50 000 private messages exposed from a popular dating application.
The exercise demonstrates easily a data breach can happen and what cloud security developers can do to better protect their applications.
Examples from their research study include: a department store application, one of the largest chains in South America; a running tracker application; a dating application; a logo design application; a social audio platform application for users to share and listen to independent podcasts; a bookkeeping application for small businesses; and a PDF Reader.
Lotem Finkelsteen, head of threat intelligence and research at Check Point Software, comments: “In this research, we show how easy it is to locate data sets and critical resources that are open on the cloud to anyone who can simply get access to them by browsing.
“Everything we found is available to anyone.
“Ultimately, with this research we prove how easy it is for a data breach or exploitation to occur. The amount of data that sits openly and that is available to anyone on the cloud is crazy. It is much easier to breach than we think.”