Cybersecurity researchers discovered 13 Android apps that potentially left over 100 million smartphone users and developers vulnerable to malicious attacks due to their private data being exposed.
Spotted by Check Point Research (CPR), researchers found the Android apps had a variety of misconfigurations of third-party cloud services that made personal data publically available, including emails, texts on messaging apps, location, passwords and photos.
- Best budget phones in 2021
- You don't need to spend $1,000 for a 'flagship' phone
- The best cell phone deals in May 2021
According to the report, the developers of the mobile apps did not intentionally expose this data. However, having the information easily available for hackers to peek through means the private information could be used for malicious attacks.
CPR found the issue lies with the application developers. By not following best practices when configuring and integrating third-party cloud services into their apps, devs not only left millions of users' private data exposed but also their own.
One of the major problems came from a misconfiguration of real-time databases that allows data to be stored in a cloud. Without using authentication, it became easy to access all the private information stored. In fact, CPR researchers didn't have to do much to access the data, as there was nothing to stop them.
Misconfigured Android apps
A popular astrology app on the Google Play Store with more than 10 million downloads called "Astro Guru" was found to have this real-time database misconfiguration.
Users needed to enter their name, date of birth, gender, location, email, and payment details to get horoscope predications, meaning the aforementioned private information had been exposed.
CPR also discovered a taxi app with 50 thousand downloads named "T’Leva" that stored real-time data. This allowed researchers, and potential malicious actors, to see chat messages between drivers and passengers, and retrieve a users' full name, phone numbers, and locations via destination and pick-up. Talk about creepy.
Cloud storage also posed a security risk. The "Screen Recorder" app with 10 million downloads would store recordings on a cloud service. "There can be serious implications if developers safeguard users’ private passwords on the same cloud service that stores the recordings," CPR states.
After analyzing the app files, researchers could recover keys that gave them access to stored recordings.
There's also an "iFax" app that had the same issues, potentially allowing hackers to gain access to documents from over 500,000 users. CPR also mentions a "Logo Maker" app where they could access the username, email, and password of users.
The report doesn't mention all the apps exposed data, stating that "a few of the apps have changed their configuration." Developers of the apps have been notified about the issues. Check out CPRs full post for more details.
If you're looking to be protected online and to hide your private information, you'll want to find out what a VPN is, and why you should be using one.