Personal data of more than 100 million Android users has been exposed due to various misconfigurations of cloud services.
The data was found in unprotected real-time databases used by 23 apps that have been downloaded by 10,000 to 10 million users and also includes internal developer resources.
Misconfigured real-time databases are not a new thing, but it is surprising to know that some Android developers still do not follow basic security practices to restrict access to the app’s database.
Mobile apps with misconfiguration issues shows that this is a widespread problem that can be easily leveraged for malicious purposes.
App developers use real-time databases to store data in the cloud and synchronize it in real-time with connected clients.
Check Point researchers discovered that some of these databases were left unprotected and it is easy for anyone to access personal information including sensitive data belonging to over 100 million users.
The data includes names, email addresses, dates of birth, chat messages, location, gender, passwords, photos, payment details, phone numbers, push notifications.
Some of the apps that expose this type of information are present in Google Play and are installed more than 10 million times (Logo Maker, Astro Guru). Whereas less popular apps like T’Leva, even have a significant user base with installation count between 10,000 and 500,000.
The researchers also found developer-related sensitive details embedded in some of the tested apps. In an app they also found the credentials for push notification services.
An app on Google Play named In Screen Recorder has the cloud storage keys that give access to users’ screenshots from the device in it.
The iFax Android app also stored the cloud storage keys and the database contained documents and fax transmissions from more than 500,000 users.
Some developers have adopted the “security through obscurity” principle and obfuscated the secret key by using base64 encoding, but it adds no protection since decoding is not protected.
Check Point researchers have analyzed 23 apps and out of it a dozen have more than 10 million installations on Google Play and most of them had the real-time database unprotected, exposing sensitive user information.