Mobile app developers may have exposed the personal data of over 100 million Android users to malicious actors, according to Check Point Research (CPR). The app research firm discovered multiple vulnerabilities resulting from misconfigured third-party cloud services after examining 23 Android applications. The compromised personal data included chat messages, emails, geographic locations, passwords and photos.
Cloud-based solutions have become standard practice for mobile apps, which include real-time databases, push notifications and cloud storage. However, developers often overlook security considerations when integrating cloud services into their apps. CPS’s investigation over the last few months shows that the developers of many popular Android apps have failed to follow best practices for integrating and configuring these services. In addition to the compromise of personal data, these shortcomings may allow malicious actors to access an app’s internal resources such as storage and update mechanisms.
Real-Time Databases
Real-time databases allow apps to store data on the cloud, while keeping it synchronized with the data on connected devices. This capability ensures that client platforms can support the database, which is one of the biggest problems in modern app development. However, it also requires developers to properly configure those databases, especially for security features like authentication.
CPR researchers discovered that Astro Guru suffers from this problem. The popular astrology app has over 10 million downloads and provides users with a horoscope after they provide personal information that includes their name, date of birth, gender and location. Taxi app T’Leva includes chat messages between passengers and drivers that researchers were able to remotely access.
Push Notifications
Apps use push notifications to inform users of a variety of events, including new content, chat messages and email. They usually require a key to verify the request submitter’s identity and sometimes more than one. Embedding the key in the app itself is common practice because it’s easy to implement, but it also allows hackers to gain control over the push notification. The hacker can then create notifications that contain malicious content and links, allowing them to direct users to a phishing site.
Cloud Storage
The use of cloud storage by mobile apps has greatly increased during the last few years, primarily because it allows users to easily share that data. However, it also requires the developer to protect this data by using the right configuration settings. CPR researchers found that Screen Recorder, a screen recording app with over 10 million downloads, allowed them recover the keys that grant access to the user’s screen recordings. Another app, iFax, also had this vulnerability in addition to the bad practice of storing faxes within the app.
Attacks on mobile devices may generally be categorized into network-level attacks, malicious apps and the exploitation of existing vulnerabilities on the device. Cyber criminals are giving greater attention to attacking these devices now that they’re the most common means of accessing the internet, resulting in a greater diversity of attack methods. Mobile devices therefore need a greater ability to detect and respond to a variety of attacks while still providing users with a positive experience.
Google Android Apps flickr photo by Visual Content shared under a Creative Commons (BY) license
