How private are Android apps? Security researchers discovered 23 mobile applications leaking the personal data of their users, and making it public to the open internet.
According to a new Check Point research, chat messages, emails, locations, passwords, photos, and other personal details associated with several Android apps can be accessed by anyone with internet connection. Unfortunately, only a small number of the said apps changed their privacy settings after the company contacted them.
“After examining 23 Android applications, Check Point Research noticed mobile app developers potentially exposed the personal data of over 100 million users through a variety of misconfigurations of third party cloud services. Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes,” the research revealed.
It is noteworthy that the data could be accessed from real-time databases in 13 of the 23 apps, downloaded from 10,000 to 10 million times. The apps were about themes such as astrology, taxi services, logo-makers, and screen recording. In the case of a taxi app, called T’Leva, the researchers could access the messages between drivers and passengers, as well as location data and personal details like full names and phone numbers. This could be done just by sending one request to the database.
Furthermore, the researchers discovered push-notification and cloud storage keys embedded in several apps, putting the developers’ internal resources, including update mechanisms and storage, at risk.
Real-Time Databases and Cloud-Based Solutions: A Liability
At the bottom of the issue are modern cloud-based solutions that have become the new standard in the world of mobile app development. “Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content,” Check Point said.
More specifically, real-time databases can become a liability, if not properly configured. These databases allow developers to store data in the cloud, synchronizing it in real-time to every connected client. However, if the database doesn’t have a basic feature such as authentication, privacy is put in danger.
Unfortunately, the issue with real-time databases is not new, and is a widely common problem affecting millions of users. In terms of the 23 applications analyzed by Check Point, “there was nothing in place to stop the unauthorized access from happening.”
During their investigation, the team recovered a lot of sensitive information, such as email addresses, passwords, private chats, device location, user identifiers, etc.
What could be the outcome of this data being exposed? If threat actors obtain access to such data, they could carry out service swipes, identity theft, and various types of fraud.
Cloud Applications Abused by Hackers
Another recent report, by Proofpoint, revealed the danger of the growing adoption of cloud collaboration tools in organizations. There has been an acceleration in threat actors exploiting Microsoft and Google’s cloud infrastructure to host and send malicious messages. Applications abused in the attacks include Office 365, Azure, OneDrive, SharePoint, G-Suite, and Firebase.