Researchers find serious cloud misconfigurations exposed Android app data belonging to over 100 million users.
Check Point Research team found no fewer than 23 popular mobile apps with various “misconfigurations of third party cloud services.”
Cloud services are widely used by app developers today, perhaps lately promoted by the coronavirus pandemic. Apps often integrate with cloud databases where they store and synch data for use on different platforms.
While useful in data management, storage, and processing, it presents one more point of entry for attackers that can expose or leak all app records.
In a report published on Thursday, researchers said the developers of some apps they examined failed to implement secure authentication mechanisms.
Among the 23 vulnerable Android apps were a taxi app, logo maker, screen recorder, fax service, and astrology software. All of them leaked data including chat messages, emails, location data, passwords, user IDs, and images.
In 13 apps, sensitive data was publicly exposed on clouds unsecured due to misconfigurations. Some of these apps have been downloaded from 10,000 to 10 million times.
While assessing a taxi app, the CPR team managed to pull up from its database names, phone numbers, pick-up and drop-off locations, and messages between drivers and customers.
The analyzed screen recorder and fax apps were not adequately secured either and allowed CPR to recover the keys and access stored recordings and fax documents.
Researchers found push notification keys were also exposed in the apps. Attackers can abuse push services to send malicious alerts to app users for phishing or scamming purposes, for example.
The researchers say the apps’ developers failed to follow “best practices when configuring and integrating third party cloud services into their applications.”
“This misconfiguration of real-time databases is not new, but [..] the scope of the issue is still far too broad and affects millions of users,” CPR says. “If a malicious actor gains access to this data it could potentially result in service-swipe (trying to use the same username-password combination on other services), fraud, and identity theft.”
CPR notified the developers of troubled apps about the misconfigurations prior to disclosure.