Home > Cyber News > Android App with Facebook API Copied and Insecurely Stored User Data

Android App with Facebook API Copied and Insecurely Stored User Data

A recent report carried out by Nightwatch Cybersecurity indicates that a third-party Android app with Facebook API access was copying user data into storage outside of Facebook. Moreover, the data was stored insecurely in two locations.

Android App with Facebook API Copied User Data

The issue was reported to Facebook through their Data Abuse Bounty program, and the storage locations were secured in November last year. As the app itself, it was removed from Facebook but the Android version is still available in Google Play. The worst part is that the number of users affected by this breach is unknown.

The researchers came across the dubious Android application in Google Play store in September last year, a few months after Facebook initiated its Data Abuse Bounty. The app claimed that it provided additional functionality to Facebook users not available through the platform. Purportedly, the app was downloaded more than 1, 000,000 times. After the researchers downloaded and analyzed it, they found that it was using Facebook APIs to access data for the logged-in user.

Related: [wplinkpreview url=”https://sensorstechforum.com/facebook-launches-data-abuse-bounty/”]Too Little, Too Late: Facebook Launches Data Abuse Bounty

The app even copied the data to locations outside of Facebook. At least two of the locations – a Firebase database and an API server – didn’t protect the data properly and it was accessible without any authentication and without HTTPS, the report said. Needless to say, this loophole could allow attackers to easily download the user data accumulated by the app.

According to the report:

During our examination of the application, we located a Firebase database that the application was communicating with.

Facebook’s Data Abuse Bounty program rewards people for reporting misuse of data by application developers. The Data Abuse Bounty is inspired by Facebook’s bug bounty program that the social network uses to uncover and address security issues.

The program is definitely “inspired” by the Cambridge-Analytica scandal and the following CubeYou events where quiz apps were used to harvest users’ information.

Nightwatch Cybersecurity’s discovery qualified under the terms of the Facebook Data Abuse Bounty Program and a bounty payment has been received, researchers said.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree