Configuration errors in several Android apps have lost sensitive data of over 100 million users, potentially making them a lucrative target for malicious actors.
“Failure to follow best practices in configuring and integrating third-party cloud services with applications has exposed millions of private user data,” Check Point researchers said in an analysis released today. ‘Hui and shared with The Hacker News.
“In some cases, this type of abuse only affects users. However, developers are also vulnerable. Configuration errors put users ‘personal data and internal developers’ resources at risk, e.g. B. access to update mechanisms, memory, etc. ”
The results come from a study with 23 Android apps available in the official Google Play Store. Some of them have downloads between 10,000 and 10 million, e.g. Astro Guru, iFax, Logohersteller, Screen recorder, and T’Leva.
According to Check Point, the issues are due to misconfiguration of real-time databases, push notifications, and cloud storage keys that result in emails, phone numbers, chat messages, storage locations, passwords, backups, browsing history and photos being spilled.
By not securing the database behind authentication barriers, the researchers were able to retrieve data from users of the Angolan taxi app T’Leva, including messages exchanged between drivers and passengers, as well as full names, phone numbers, and destination and destination. -up locations.
In addition, the researchers found that app developers built in the keys needed to send push notifications and access cloud storage services directly into apps. Not only could this allow bad actors to send a malicious notification to all users on behalf of the developer, but it could also be exploited to direct unsuspecting users to a phishing site and thus become an entry point for attacks.
Incorporating cloud storage access keys into applications also opens the door to other attacks where an adversary could take over all of the data stored in the cloud – a behavior that has been observed in two applications, Screen Recorder and iFax, and is preventing researchers from accessing the Screen enables recordings and faxed documents.
Check Point notes that only some of the apps changed their configuration in response to responsible disclosure. This means that users of other apps will continue to be vulnerable to potential threats like fraud and identity theft without even talking about using stolen passwords to access other accounts. fraudulent.
“Ultimately, victims become vulnerable to many different attack vectors including identity theft, identity theft, phishing and service scans,” said Aviran Hazum, director of mobile research at Check Point, adding that the study “sheds light on a disruptive reality in which App developers not only put their data at risk, but also the data of their private users. “