Misconfigured databases have long been a reason for exposing sensitive data. This time, however, the culprits turned out to be Android apps. Researchers discovered at least 23 different Android apps that leaked millions of user details via misconfigured cloud services.
Android Apps Leaked Data Due To Misconfigured Cloud
Check Point Research team has shared details of their findings regarding Android apps exposing millions of records. As revealed, they observed 23 different Android apps with misconfigured cloud services leaked over 100 million records. These leaked records include the personal data of the users as well as developers.
The issue existed because of improper configurations of third-party services that Android apps used to store users’ data.
Specifically, they observed the app developers applying “bad practices” for data storage which caused data exposure.
The key problems they noticed included publicly exposed databases, cloud keys either exposed or poorly hidden within the storage, and clear access to push notification feature.
This type of data exposure could allow anyone to extract sensitive personal details of all users of an app. For example, explaining the impact of publicly available real-time databases from 13 different apps, the researchers stated,
While investigating the content on the publically available database, we were able to recover a lot of sensitive information including email addresses, passwords, private chats, device location, user identifiers, and more. If a malicious actor gains access these data, it could potentially result in service-swipes (ie. trying to use the same username-password combination on other services), fraud, and identity theft.
Some of the vulnerable apps include Astro Guru, T’Leva, Logo Maker, Screen Recorder, and iFax. Whereas, generally, these apps boast over 10,000 to over 10 million installs on Google Play Store.
Problem At Developers’ End
While the issue seems a technical problem, the researchers emphasized how these issues arise due to developers’ bad practices.
To double-check this ‘bad practice’ thing, Check Point analyzed a mobile malware “CopyCat” that also stored poorly coded keys within cloud storage.
Before disclosing this research, Check Point reported the issues to the respective developers. Hence, some of them have fixed the bugs.