The personal data of over 100 million Android users has been exposed, reason being multiple misconfigurations of cloud services
The information of android users’ data exposed was discovered in unprotected real-time databases used by 23 apps with tens of millions of downloads, as well as internal developer tools.
Misconfigured real-time databases are nothing new, but it’s surprising to learn that some Android developers still don’t follow common security practices when it comes to limiting access to the app’s database.
Misconfigured mobile apps demonstrate that this is a common issue that can be used for malicious purposes.
To store data in the cloud and synchronize it in real time with linked clients, app developers use real-time databases.
According to Check Point researchers, some of these databases were left insecure, making it possible for anyone to access personal information, including confidential data, belonging to over 100 million users.
Names, email addresses, dates of birth, chat messages, location, gender, passwords, photographs, payment information, phone numbers, and push notifications are among the information collected.
You might also like: 167 Fake Android and iOS trading and cryptocurrency apps: Sophos
Some of the apps that expose this type of data are available on Google Play and have been downloaded over 10 million times (Logo Maker, Astro Guru).
Less common applications, such as T’Leva, have a sizable user base, with installation counts ranging from 10,000 to 500,000.
Developer-related confidential information was also discovered in some of the checked applications, according to the researchers.
They also discovered credentials for push notification services in an app.
In Screen Recorder, a Google Play app, has cloud storage keys that enable users to access screenshots from their phones.
You might also like: These Billing Fraud Apps have infected over 700,000 Android Users
The cloud storage keys were also stored in the iFax Android app, and the database held documents and fax transmissions from over 500,000 users.
Some developers have used base64 encoding to obfuscate the secret key, but this adds little protection since decoding is not protected.
You might also like: Joker malware spread over 500,000 Huawei Android devices
Researchers from Check Point examined 23 games, 12 of which have over 10 million downloads on Google Play, and the majority of them had the real-time database unprotected, revealing confidential user details.