Security researchers from Check Point have discovered 23 Android applications that exposed the personal data of more than 100 million users due to misconfigurations of third-party cloud services.
The experts pointed out that the misconfiguration also expose developer’s internal resources, such as access to update mechanisms and storage, at risk.
“This misconfiguration of real-time databases is not new, but to our surprise, the scope of the issue is still far too broad and affects millions of users.” reads the report published by the experts. “While investigating the content on the publically available database, we were able to recover a lot of sensitive information including email addresses, passwords, private chats, device location, user identifiers, and more. If a malicious actor gains access these data it could potentially result in service-swipes (ie. trying to use the same username-password combination on other services), fraud, and identity theft.”
Check Point experts were able to access the backend databases of 13 apps (i.e. Logo Maker, Astro Guru, T’Leva, Screen Recorder, and iFax) that were found to contain sensitive information such as email addresses, passwords, personal images, private chats, location coordinates, user identifiers, social media credentials, screen recordings.
In some cases, the apps analyzed by Check Point exposed access keys that would have allowed attackers to send push notifications to all the users of the applications.
Threat actors could abuse push notification services to conduct malicious activities, such as sending out messages containing links to malicious websites set up to deliver malware or phishing sites.
Experts explained that Cloud storage on mobile applications is often used to access files shared by either the developer or the installed application.
One of the apps analyzed by the experts, named Screen Recorder, which is available on Google Play with over 10 million downloads was storing the device’s screen on a cloud service. The researchers discovered that was possible to access the cloud storage keys that allowed them to access to users’ screenshots from the device.
“While accessing screen recordings through the cloud is a convenient feature, there can be serious implications if the developers embed the secret and access keys to the same service that stores those recordings. With a quick analysis of the application file, we were able to recover the mentioned keys that grant access to each stored recording.” continues the report.
Below the full list of apps analyzed by the experts, a dozen of them have more than 10 million installations on Google Play and the majority exposes an unprotected database.
(SecurityAffairs – hacking, Android apps)