Misconfigured cloud provider integrations in Android apps can reveal millions of users’ personal information, including locations, images, and passwords.
Following a study of 23 Android applications, Check Point Testing (CPR), the research arm of cybersecurity provider Check Point Software Technologies, found that mobile developers had not been following best practices when configuring and incorporating third-party cloud providers into their apps in the last few months.
CPR reportedly discovered publicly accessible confidential data from real-time databases in 13 cases, with downloads ranging from 10,000 to 10 million for each app.
Although CPR acknowledges that misconfiguration of real-time datasets is not uncommon, it claims it did nothing other than try to access the data with no protections in place to avoid unauthorized access.
According to a blog post by the research team, “when reviewing the material on the [publicly] accessible website, we were able to retrieve a lot of confidential information, including email addresses, passwords, private conversations, computer location, user identifiers, and more.”
Furthermore, if a malicious attacker obtains access to the data, it can result in service swipes (using the same username and password combination on several services), abuse, or identity theft.
Astro Guru, an astrology, horoscope, and palmistry app with over 10 million downloads, and T’Leva, a taxi app with over 50,000 downloads, were two unique examples given.
Check Point claimed to have discovered the misconfiguration in the first app, which had access to addresses, birth dates, genders, places, passwords, and payment information. Meanwhile, the second app reportedly exposed driver-passenger chat notes, as well as full addresses, phone numbers, destinations, and pick-up locations — all in a single database query.
According to the research team, push update managers — applications that can flag new material and view chat messages and emails — have had the capacity for abuse. According to Check Point, most applications of this kind use a key or keys to recognize the name of the request submitter.
“When such keys are simply encoded into the application file itself, it is very straightforward for hackers to seize control and send messages to all users on behalf of the creator that might contain malicious links or content,” the CPR research team wrote.
“Imagine that a news-outlet programme sent its users a fake-news entry notice that led them to a phishing site. Users will presume the message was genuine and delivered by the news source, rather than hackers, since it came from the official app.”
In certain circumstances, cloud storage for mobile applications was also accessed, raising questions about the security of users’ private passwords on the same cloud providers that housed files.
This reportedly included Screen Recorder and iFax, two screens recording and fax-sending apps with over 10 million and 500,000 downloads, respectively. The Check Point analysis team discovered the apps’ respective cloud storage keys, which could enable malicious actors to access stored data.
Check Point further stated that Google and the apps developers were consulted prior to the research team publishing the blog and that a “few” of the applications changed their configuration as a result of the interaction.
