Several mobile apps, some with 10 million downloads, have opened up personal data of users to the public internet – and most aren’t fixed.
More than 100 million Android users are at risk after 23 different mobile apps were found to leak personal data in the wake of rampant cloud misconfigurations.
That’s according to Check Point Research, whose researchers found that emails, chat messages, location data, passwords, photos, personal data and more were all available to anyone with an internet connection. Worryingly, after being contacted by the firm, only “a few” of the apps have changed their settings to make the information private.
Researchers also found push-notification and cloud-storage keys embedded in a number of Android applications, which put developers’ own internal resources, such as access to update mechanisms, storage and more, at risk.
“Modern cloud-based solutions have become the new standard in the mobile application development world,” researchers explained in a blog, posted Thursday. “Services such as cloud-based storage, real-time databases, notification management, analytics and more are simply a click away from being integrated into applications. Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content.”
The depth of the data at risk across the apps is such that a range of follow-on attacks could be possible, from using credentials against other accounts to social engineering and fraud/identity theft, researchers said.
“This discovery underscores the importance of security-focused app testing and verification,” said Chenxi Wang, general partner at Rain Capital, via email. “Developers don’t always know the right things to do with regard to security. The app platforms like Google Play and Apple App Store must provide deeper testing as well as incentivizing the right behavior from developers to build security in from the beginning.”
Real-Time Databases Left Open to Snoopers
The data was accessible from real-time databases in 13 of the Android apps, whose download numbers range from 10,000 to 10 million. The apps were for things like astrology, taxi services, logo-makers, screen recording and faxing, researchers said.
Real-time databases allow application developers to store data on the cloud, so that each time an app connects, information is synchronized and the clients (and the databases) are brought up to date. However, for the examined apps, there was no authentication check to access them.
In the case of T’Leva, a taxi app with more than 50,000 downloads, researchers were able to access chat messages between drivers and passengers, plus location data and personal information like full names and phone numbers – all by sending one request to the database.
“This misconfiguration of real-time databases is not new, and continues to be widely common, affecting millions of users,” according to the blog. “All [Check Point] researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorized access from happening.”
Astro Guru Didn’t Foresee the Data Leak
One of the offending apps, Astro Guru, has more than 10 million downloads. It offers horoscopes, palmistry and similar services. Since it provides personalized “readings,” it asks for a lot of information, including name, date of birth, gender, location, emails and, of course, payment details. Once that’s completed, Astro Guru delivers a “personal astrology and horoscope prediction report.”
Meanwhile, push notification managers in many of the apps weren’t password-protected either. Push notifications are familiar to most of us as those unsolicited notes that pop up as an alert, flagging news, new emails, new content, how many steps one has taken that day or what have you, from various apps installed on the phone.
“Most push notification services require a key (sometimes, more than one) to recognize the identity of the request submitter,” according to the analysis. “When those keys are just embedded into the application file itself, it is very easy for hackers to take control and gain the ability to send notifications which might contain malicious links or content to all users on behalf of the developer.”
This could be weaponized in ingenious ways, such as hackers intercepting news alerts to replace legitimate content with fake news, or phishers injecting phishing links into the notifications – all of which are sent from the legitimate app, so users are none the wiser.
Cloud Keys Up in the Air for the Taking
In the case of at least two of the apps, cloud keys were exposed with no safeguards, according to the researchers.
For instance, the Screen Recorder app does what it says – it records the user’s screen and then saves the recordings in the cloud for later access. It has more than 10 million downloads.
Unfortunately, the developers saved users’ private passwords on the same cloud service that stores the recordings.
“With a quick analysis of the application file, [Check Point] researchers were able to recover the mentioned keys that grant access to each stored recording,” they explained.
It’s a bad practice to hardcode and store static access keys into an app, Michael Isbitski, technical evangelist at Salt Security, said via email.
“The app in turn uses [the keys] to connect to an organization’s own backend APIs and third-party (e.g., cloud) APIs,” he explained. “Compiled code within mobile app binaries is much more readable than many developers realize. Decompilers and dissassemblers are plentiful, and such connection keys are easily harvested by attackers. Attackers then bypass the app entirely and connect directly to backend APIs to abuse the business logic of the app or scrape data.”
If you opt to use cloud storage as a developer, you need to ensure any key material necessary to connect to such storage is kept secure, and you must also leverage the cloud provider’s access control and encryption mechanisms to keep the data protected. Mobile app developers should make use of the Android Keystore and Keychain mechanisms that are backed by the hardware security module of the mobile device. Developers should also make use of the Android encryption mechanisms when storing other sensitive data client-side.
The second app was iFax, which made a similar blunder. In this case, the developers stored the cloud keys and the fax transmissions in the same cloud.
“With just analyzing the app, a malicious actor could gain access to any and all documents sent by the 500,000 users who downloaded this application,” according to Check Point – a problem given that the heaviest users of faxes these days are regulated industries like healthcare and financial companies.
What to Do if Your Data is Leaked by an App
Imperva Research Labs has found that data-leakage incidents have increased 557 percent over the past 12 months, and are up 74 percent since the beginning of 2021, according to Ron Bennatan, general manager for data security for Imperva.
“Enterprises need to stop thinking of application security and data security as disparate entities, because attackers certainly aren’t thinking that way, and it’s creating opportunities for them to access data,” he said. “A good enterprise takes a data-centric approach and secures the data itself, and not just the endpoints connected to the database.”
Cloud misconfigurations that leave data publicly exposed happen all the time, in other words – and unfortunately, there’s very little that end users can do to protect themselves from an exposure. But there are steps to take after a data leak occurs, researchers said.
“End users can take proactive steps to protect themselves when their data does get exposed,” Irene Mo, senior consulting associate at Aleada, said via email. “My two top tips are: 1) set up multifactor authentication for every account that offers it, and 2) lie on account security questions. The answers to common security questions, like a user’s childhood street name or their favorite color, can be found publicly online. If a user lies on their security questions, only the user knows how they lied. And to keep track of their lies (a bonus tip), use a password manager.”