Mobile app developers potentially expose personal data of 100 million Android users
After examining 23 Android applications, Check Point Research noticed mobile app developers potentially exposed the personal data of over 100 million users through a variety of misconfigurations of third party cloud services.
Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes.
CPR discovered publicly available sensitive data from real-time databases in 13 Android applications, with the number of downloads that each app has ranging from 10,000 to 10 million.
It found push notification and cloud storage keys embedded in a number of Android applications themselves.
Modern cloud-based solutions have become the new standard in the mobile application development world. Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, CPR says developers often overlook the security aspect of these services, their configuration, and their content.
CPR recently discovered that in the last few months, many application developers have left their data and millions of users’ private information exposed by not following best practices when configuring and integrating third party cloud-services into their applications. The misconfiguration put users’ personal data and developers’ internal resources, such as access to update mechanisms, storage and more, at risk, it says.
Misconfiguring Real-Time Databases
Real-time databases allow application developers to store data on the cloud, making sure it is synchronised in real-time to every connected client. This service solves one of the most encountered problems in application development, while making sure that the database is supported for all client platforms.
However, what happens if the developers behind the application do not configure their real-time database with a simple and basic feature like authentication?
"This misconfiguration of real-time databases is not new, and continues to be widely common, affecting millions of users," CPR says.
"All CPR researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorised access from happening."
While investigating the content on the publicly available database, CPR was able to recover a lot of sensitive information including email addresses, passwords, private chats, device location, user identifiers, and more.
If a malicious actor gains access to this data, it could potentially lead to service-swipes (ie. trying to use the same username-password combination on other services), fraud, and/ or identity-theft.
CPR researchers found that Astro Guru, a popular astrology, horoscope and palmistry app with more than 10 million downloads, has this misconfiguration. After users input their personal information such as their name, date of birth, gender, location, email and payment details, Astro Guru provides them a personal astrology and horoscope prediction report.
"Storing personal information is one thing, but what about storing real-time data? This is what a real-time database is for," says CPR.
"Through T’Leva, a taxi app with over fifty thousand downloads, CPR researchers were able to access chat messages between drivers and passengers and retrieve users full names, phone numbers, and locations (destination and pick-up) - all by sending one request to the database," it says.
A push notification manager is one of the most widely used services in the mobile application industry. Push notifications are often used to flag new available content, display chat messages, emails, and much more. Most push notification services require a key (sometimes, more than one) to recognise the identity of the request submitter. When those keys are just embedded into the application file itself, CPR says it is very easy for hackers to take control and gain the ability to send notifications that might contain malicious links or content to all users on behalf of the developer.
"Imagine if a news-outlet application pushed a fake-news entry notification to its users directing them to a phishing page," CPR says.
"Since the notification originated from the official app, the users would assume the notification was legitimate and sent by the news outlet and not hackers."
Cloud storage on mobile applications is a practice that has skyrocketed in the last few years. It allows access to files shared by either the developer or the installed application.
With more 10 million downloads, the Screen Recorder app is used to record the users device screen and store the recordings on a cloud service. While accessing screen recordings through the cloud is a convenient feature, there can be serious implications if developers safeguard users’ private passwords on the same cloud service that stores the recordings.
With a quick analysis of the application file, CPR researchers were able to recover the mentioned keys that grant access to each stored recording.
The second app, iFax, not only had the cloud storage keys embedded into the app, but also stored all fax transmissions there..
"With just analysing the app, a malicious actor could gain access to any and all documents sent by the 500,000 users who downloaded this application," CPR says.
How to protect yourself
"Mobile devices can be attacked via different ways. This includes the potential for malicious apps, network-level attacks, and exploitation of vulnerabilities within devices and the mobile OS," CPR says.
"As mobile devices become increasingly important, they have received additional attention from cybercriminals. As a result, cyber threats against these devices have become more diverse.
"An effective mobile threat defence solution needs to be able to detect and respond to a variety of different attacks while providing a positive user experience."