23 Misconfigured Android Apps Exposed Personal Data Of 100 Million Users

Android Developers

Developing a mobile app goes beyond just realizing an idea. It's also about maintaining it, and configuring everything that goes with it.

When one of the processes goes wrong, catastrophes can happen, as Check Point Research has found. After examining 23 Android apps available in the Google Play Store, the team discovered that by not following best-practices when configuring and integrating third-party cloud-services into the apps, millions of users' private data was exposed.

In a blog post:

"After examining 23 Android applications, Check Point Research (CPR) noticed mobile app developers potentially exposed the personal data of over 100 million users through a variety of misconfigurations of third party cloud services. Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes."
"Modern cloud-based solutions have become the new standard in the mobile application development world. Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content."

"The misconfiguration put users’ personal data and developers’ internal resources, such as access to update mechanisms, storage and more, at risk."

Real-time databases allow the apps' developers to store data inside the cloud, and synchronizing everything in real-time to every connected client.

This allows apps to have the most updated data, at all times.

"In some cases, this type of misuse only affects the users, however, the developers were also left vulnerable. The misconfigurations put users' personal data and developer's internal resources, such as access to update mechanisms, storage, and more at risk."

This is why the misconfiguration in the service is affecting millions of users.

According to Check Point, issues that stem from misconfiguring real-time databases, push notification, and cloud storage keys, can result in leaks of sensitive data from that include email addresses, passwords, phone numbers, chat messages, location, passwords, backups, browser histories, user identifiers and photos.

The researchers can see the email, password, username and ID of a user using the Logo Maker app
The researchers can see the email, password, username and ID of a user using the Logo Maker app. (Credit: Check Point Research)

Check Point researchers said they were able to obtain data belonging to users of Angolan taxi app T'Leva, including the messages users have exchanged between the drivers, as well as riders' full names, phone numbers, and destination and pick-up locations.

All the researchers had to do, was attempt to access the data. There was nothing in place to secure unauthorized access from accessing the data.

What's more, the researchers found that app developers embedded keys required for sending push notifications and accessing cloud storage services right inside their apps.

This makes things worse, simply because it makes it easier for hackers to send a rogue notification to all users on behalf of the developer, and to weaponize the notifications to direct unsuspecting users to a phishing page. In other words, hackers can leverage their privilege to create an entry point for more sophisticated threats.

The researchers found keys without any safeguards in the Screen Recorder and the iFax app.

Check Point notes that only a few of the apps changed their configuration in response to responsible disclosure. What this means, users of other apps are still susceptible to possible threats like fraud and identity theft, not to mention leverage the stolen passwords to gain access to other accounts fraudulently.

"Ultimately, victims become vulnerable to many different attack vectors, such as impersonations, identify theft, phishing and service swipes," said Aviran Hazum, Check Point's manager of mobile research, adding the study "sheds light on a disturbing reality where application developers place not only their data, but their private users' data at risk."

Published: 
22/05/2021