On Thursday, cybersecurity firm Check Point Research have discovered that 23 Android apps with poor cloud configurations and implementations on Google Play Store potentially left millions of Android user’s data at risk and might have leaked email records, chat messages, location information, images, user IDs, and passwords which could lead to identity theft and fraud.
Most of the apps have more than 10 million downloads, which confirms a large number of users are affected. Check Point reports that these apps may have exposed more than 100 million user’s data.
CPR researchers reported that it didn’t take them much effort to access sensitive data from real-time databases in thirteen Android apps, many of which have clocked millions of downloads. Its researchers found that in most of the apps they had free access to information in the databases.
“Modern cloud-based solutions have become the new standard in the mobile application development world…Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content,” says CPR.
They had also discovered that not half of the apps had their cloud storage keys embedded in the code of their apps. The researchers didn’t access these records for ethical reasons but verified them through code analysis.
One more problem that they discovered, was hard-coded push notification keys. Embedded notification keys are not quite as important as having cloud storage keys coded into the program, but according to CPR, it is bad a practice.
CPR explained in a context that, “While the data of the push notification service is not always sensitive, the ability to send notifications on behalf of the developer is more than enough to lure malicious actors. Imagine if a news-outlet application pushed a fake news entry notification to its users that directed them to a phishing page requesting that they renew their subscription. Since the notification originated from the official app, the users will not suspect a thing, as they are sure that this notification was sent by the developers.”
Check Point said that they notified the app makers before disclosing these vulnerabilities, and several followed up with updates to fix the issues. Till now, the 23 apps surveyed are only a minuscule sample of the 2.87 million apps on Google Play Store. There can be many more carrying the same bad practices.