Misconfigured cloud services integrations into Android applications have potentially exposed the personal data of millions of users, including locations, photos and passwords.
According to Check Point Research (CPR), the research team behind cyber security vendor Check Point Software Technologies, application developers have not been following best practices in the last few months when configuring and integrating third-party cloud services into their Android apps after an analysis of 23 Android apps.
In 13 examples, CPR allegedly found public available sensitive data from real-time databases, with the number of downloads from each app ranging from 10,000 to 10 million.
While CPR admits the misconfiguration of real-time databases is not a new error, and is in fact widely common, it claimed all it did was attempt to access the data, with no safeguards put into place to prevent unauthorised access.
“While investigating the content on the [publicly] available database, we were able to recover a lot of sensitive information including email addresses, passwords, private chats, device location, user identifiers and more," a blog post from the research team said.
Furthermore, if a malicious actor gains access to that data, it has the potential to lead to service swipes — attempting to use the same username and password combination on other services — fraud or identity theft.
Two specific examples provided included the astrology, horoscope and palmistry app Astro Guru, which has over 10 million downloads, and taxi app T’Leva, with over 50,000 downloads.
With the first app, Check Point claimed it found the misconfiguration, which could access names, birth dates, genders, locations, emails and payment details. Meanwhile, the second app allegedly revealed chat messages between drivers and passengers, as well as full names, phone numbers, destinations and pick-up locations — through only a single request to the database.
Push notification managers — apps that can flag new content, and display chat messages and emails — also held the potential for exploitation, according to the research team. Most apps of this type, Check Point claimed, work with a key or keys to recognise the identity of the request submitter.
“When those keys are just embedded into the application file itself, it is very easy for hackers to take control and gain the ability to send notifications which might contain malicious links or content to all users on behalf of the developer,” the CPR research team wrote.
“Imagine if a news-outlet application pushed a fake-news entry notification to its users directing them to a phishing page. Since the notification originated from the official app, the users would assume the notification was legitimate and sent by the news outlet and not hackers.”
In addition, cloud storage for mobile apps were also accessed in some cases, which raised concerns around safeguarding users’ private password on the same cloud services that also stored content.
This allegedly included a screen recording app named Screen Recorder has and a fax-sending app called iFax, which have over 10 million and 500,000 downloads, respectively. Analysis of these apps by the Check Point research team found their respective cloud storage keys, potentially allowing malicious actors to access stored files.
Check Point also noted that Google and the apps’ developers had been contacted prior to the research team posting the blog, which resulted in a “few” of the apps changing their configuration.