Misconfigured cloud services exposed 100 million Android users' data

Mobile apps reveal user data, including emails, chat messages, location, and passwords

Security researchers have discovered 23 Android applications that potentially exposed over 100 million users’ personal data through various misconfigurations of third-party cloud services.

According to Check Point Research, the data exposed from these apps included emails, chat messages, location, passwords, and photos. This left users exposed to fraud, identity theft, and service swipes (using the same username-password combination on other services).

Researchers said, “there was nothing in place to stop the unauthorized access from happening.”

“Modern cloud-based solutions have become the new standard in the mobile application development world,” researchers said. “Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content.”

The first problem researchers discovered was the misconfiguration of real-time databases developers used to store data in the cloud and synchronize with connected clients.

In 13 Android apps, which saw download numbers range from 10,000 to 10 million, no authentication was in place to prevent hackers from accessing these databases containing email addresses, passwords, private chats, device location, user identifiers, and more.

Related Resource

Building a data-driven enterprise of the future

Top five trends that will shape the future of organisational resiliency and effectiveness

Animated people in and around a rocket ship - Building a data-driven enterprise of the future - whitepaper from CrederaDownload now

In one app, T’Leva, a taxi app with over 50,000 downloads, researchers could access chat messages between drivers and passengers. They could also access users’ full names, phone numbers, and locations (destination and pick-up) – all by sending one request to the database.

A second issue was with push notifications. “Most push notification services require a key (sometimes, more than one) to recognize the identity of the request submitter,” said researchers. “When those keys are just embedded into the application file itself, it is very easy for hackers to take control and gain the ability to send notifications which might contain malicious links or content to all users on behalf of the developer.”

The third problem occurred in cloud storage. In one app, researchers could access cloud storage keys embedded into the app and all stored fax transmissions.

“With just analyzing the app, a malicious actor could gain access to any and all documents sent by the 500,000 users who downloaded this application,” said researchers.

Researchers said they approached Google and each app developer before publishing its research to share their findings. Researchers said only a few of the apps have since changed their configurations.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

UK's first government cyber strategy aims to bolster public sector defences
cyber security

UK's first government cyber strategy aims to bolster public sector defences

25 Jan 2022
Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Europol ordered to delete huge cache of unlawfully stored data
data protection

Europol ordered to delete huge cache of unlawfully stored data

11 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022