Researchers analyzing Android applications say that due to misconfigurations of third-party cloud services, mobile application developers may have exposed the data of more than 100 million users.
The Check Point Research (CPR) team checked 23 Android applications and found multiple misconfigurations that may have exposed emails, chat messages, locations, passwords, and photos. These incorrect configurations may also put developers’ internal resources at risk.
In 13 of these applications, CPR found publicly available sensitive data from real-time databases that allowed application developers to store the data in the cloud and ensure that it was synchronized to connected clients in real time. Some real-time databases are not configured for authentication, so the team only needs to send a request to the database to access data such as chat and passwords.
Researchers report that popular taxi apps with this misconfiguration have been downloaded more than 50,000 times. They can access the chat messages between the driver and passengers and retrieve the user’s full name, phone number, and destination and pick-up location by sending a request.
The team also discovered that push notifications and cloud storage keys themselves have been embedded in multiple Android applications. Most push notification services require a key (sometimes multiple keys) to identify the identity of the person submitting the request. After embedding these keys in application files, attackers can easily control and send potentially malicious notifications.
Cloud storage is another common problem. When analyzing the “Screen Recorder” application, the application had been downloaded more than 10 million, and the researchers were able to recover the keys that granted access to each record. They report that another application called iFax embeds cloud storage keys in the application and stores all fax transmissions in the application.
The researchers pointed out that they disclosed the findings to Google and the developers of each application before releasing the findings. Since then, some applications have updated their configuration.
Read the full Check Point blog post for more details.
“Dark Reading Bulletin” briefly introduced the importance of breaking news events and provided a summary. For more information on the original source of the news item, please click on the link provided in this article.View the complete bio