Researchers from cybersecurity security firm Check Point Research have found that a number of Android apps had “misconfigurations” on cloud services, leaving user data belonging to more than 100 million users vulnerable to a variety of attacks.
In a report published Thursday, Check Point said it recently discovered that the developers behind nearly two dozen mobile apps didn’t configure their real-time database properly.
“Real-time database allows application developers to store data on the cloud, making sure it is synched in real-time to every connected client,” Check Point explained.
In the last few months, the team said many application developers have “put their data and users’ data at risk” by failing to ensure that authentication mechanisms were in place.
“By not following best practices when configuring and integrating 3rd party cloud services into applications, millions of users’ private data was exposed,” the team wrote. “In some cases, this type of misuse only affects the users, however, the developers were also left vulnerable. The misconfiguration put users’ personal data and developer’s internal resources, such as access to update mechanisms and storage at risk.”
23 apps examined
The researchers said the 23 Android apps they examined -- which included a taxi app with over 50,000 installs, a logo maker, a screen recorder with over 10 million downloads, a fax service, and astrology software, among others -- contained a variety of security shortcomings.
Check Point said the apps were leaking data that included email records, chat messages, location information, user IDs, passwords, and images. Thirteen of the apps left sensitive data publicly available in unsecured cloud setups.
In the case of the Angolan taxi app “T’Leva,” the researchers found that they were able to obtain user data, including messages exchanged with drivers, riders’ full names, phone numbers, and destination and pickup locations.
Aviran Hazum, Check Point's manager of mobile research, said the study "sheds light on a disturbing reality where application developers place not only their data, but their private users' data at risk."
When app developers fail to follow the “best practices” when configuring and integrating third party cloud services, the researchers said it could potentially leave users vulnerable to several types of cybersecurity threats.
"This misconfiguration of real-time databases is not new, but [..] the scope of the issue is still far too broad and affects millions of users," the researchers said. "If a malicious actor gains access to this data it could potentially result in service-swipe (trying to use the same username-password combination on other services), fraud, and identity theft."
The firm said it informed the app developers of the vulnerabilities, and a few have since changed their configuration.