The data of more than 100 million Android app users has been found exposed because of misconfigurations relating to third-party services.
Detailed May 20 by researchers at Check Point Software Technologies Ltd., the exposure relates to 23 popular apps that put user’s personal data at risk through developer internal resources, such as access to update mechanisms and storage.
The potential breach primarily comes down to the use of real-time database access, a service that allows developers to store data on the cloud. The researchers found that they could recover sensitive information, including email addresses, passwords, private chats, device location, user identifiers and more, all because the apps didn’t secure the access between the app and the cloud database.
One example is an app called Astro Guru, which is described as a popular astrology, horoscope and palmistry app with more than 10 million downloads. The researchers could access personal information, including payment details, because of the unsecured way the data was synced through cloud-based real-time databases.
The researchers noted that although cloud storage on mobile applications is an elegant solution to access files, there can be serious implications if the developers embed the secret and access keys to the same service in their apps.
“Some of these issues uncovered in the Check Point research are similar to what we covered in the iPhone recorder incident,” Michael Isbitski, technical evangelist at application programming interface security startup Salt Security Inc., told SiliconANGLE. “Mobile application developers often make use of cloud-hosted databases and data storage, such as AWS S3, to store content for mobile clients.”
For some of the Android apps Check Point examined, he explained, developers were embedding connection keys for backend cloud storage directly into the mobile application code. “It’s a bad practice to hardcode and store static access keys into an app, which the app, in turn, uses to connect to an organization’s own backend APIs and third-party cloud APIs,” he said.
Ray Kelly, principal security engineer at cloud application security provider WhiteHat Security Inc., noted that developers tend to think that mobile backends are hidden from hackers, a practice known in the cybersecurity industry as “security through obscurity.”
“It’s akin to hiding your house key under your doormat and thinking your house is safe,” Kelly said. “Ensuring that a mobile application is secure requires that the application’s binary, network layer, backend storage and APIs are all tested thoroughly for security vulnerabilities that can lead to issues such as data leakage.”
Image: Check Point
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.