More than 100m Android users are at risk after 23 different mobile apps were found to leak personal data in the wake of rampant cloud misconfigurations.
Several mobile apps, some with 10m downloads, have opened up personal data of users to the public internet & most are not fixed.
That is according to Check Point Research, whose researchers found that emails, chat messages, location data, passwords, photos, personal data & more were all available to anyone with an internet connection. Worryingly, after being contacted by the firm, only “a few” of the apps have changed their settings to make the information private.
Researchers also found push-notification & cloud-storage keys embedded in a number of Android applications, which put developers’ own internal resources, such as access to update mechanisms, storage & more, at risk.
“Modern cloud-based solutions have become the new standard in the mobile application development world,” researchers explained in a blog, posted Thurs. “Services such as cloud-based storage, real-time databases, notification management, analytics & more are simply a click away from being integrated into applications. Yet, developers often overlook the security aspect of these services, their configuration, & of course, their content.”
The depth of the data at risk across the apps is such that a range of follow-on attacks could be possible, from using credentials against other accounts to social engineering & fraud/identity theft, researchers explained.
“This discovery underscores the importance of security-focused app testing & verification,” outlined Chenxi Wang, General Partner at Rain Capital, via email.
“Developers don’t always know the right things to do with regard to security. The app platforms like Google Play & Apple App Store must provide deeper testing as well as incentivising the right behaviour from developers to build security in from the beginning.”
Left Open to Snoopers
The data was accessible from real-time databases in 13 of the Android apps, whose download numbers range from 10,000-10m. The apps were for things like astrology, taxi services, logo-makers, screen recording and faxing, researchers explained.
Real-time databases allow application developers to store data on the cloud, so that each time an app connects, information is synchronised & the clients (and the databases) are brought up to date. However, for the examined apps, there was no authentication check to access them.
In the case of T’Leva, a taxi app with more than 50,000 downloads, researchers were able to access chat messages between drivers & passengers, plus location data & personal information like full names & phone numbers – all by sending one request to the database.
“This misconfiguration of real-time databases is not new, & continues to be widely common, affecting millions of users,” according to the blog. “All Check Point researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorised access from happening.”
Did Not Foresee
One of the apps, Astro Guru, has more than 10m downloads. It offers horoscopes, palmistry & similar services. Since it provides personalised “readings,” it asks for a lot of information, including name, date of birth, gender, location, emails &, of course, payment details. Once that is completed, Astro Guru delivers a “personal astrology & horoscope prediction report.”
Meanwhile, push notification managers in many of the apps were not password-protected either. Push notifications are familiar to most of us as those unsolicited notes that pop up as an alert, flagging news, new emails, new content, how many steps one has taken that day or what have you, from various apps installed on the phone.
“Most push notification services require a key (sometimes, more than one) to recognise the identity of the request submitter,” according to the analysis. “When those keys are just embedded into the application file itself, it is very easy for hackers to take control & gain the ability to send notifications which might contain malicious links or content to all users on behalf of the developer.”
This could be weaponised in ingenious ways, such as hackers intercepting news alerts to replace legitimate content with fake news, or phishers injecting phishing links into the notifications – all of which are sent from the legitimate app, so users are no wiser.
In the case of at least 2 of the apps, cloud keys were exposed with no safeguards, according to the researchers.
For instance, the Screen Recorder app does what it says – it records the user’s screen & then saves the recordings in the cloud for later access. It has more than 10m downloads.
Unfortunately, the developers saved users’ private passwords on the same cloud service that stores the recordings.
“With a quick analysis of the application file, Check Point researchers were able to recover the mentioned keys that grant access to each stored recording,” they explained.
It is a bad practice to hardcode & store static access keys into an app, Michael Isbitski, Technical Evangelist at Salt Security, commented.
De-Compilers & Dis-Assemblers
“The app in turn uses the keys to connect to an organisation’s own backend APIs & 3rd-party (e.g., cloud) APIs,” he explained. “Compiled code within mobile app binaries is much more readable than many developers realise.
De-compilers & dis-assemblers are plentiful, & such connection keys are easily harvested by attackers. Attackers then bypass the app entirely & connect directly to backend APIs to abuse the business logic of the app or scrape data.”
If you opt to use cloud storage as a developer, you need to ensure any key material necessary to connect to such storage is kept secure, & you must also leverage the cloud provider’s access control & encryption mechanisms to keep the data protected.
Android Keystore & Keychain
Mobile app developers should make use of the Android Keystore & Keychain mechanisms that are backed by the hardware security module of the mobile device. Developers should also make use of the Android encryption mechanisms when storing other sensitive data client-side.
The 2nd app was iFax, which made a similar blunder. In this case, the developers stored the cloud keys & the fax transmissions in the same cloud.
“With just analysing the app, a malicious actor could gain access to any & all documents sent by the 500,000 users who downloaded this application,” according to Check Point – a problem given that the heaviest users of faxes these days are regulated industries like healthcare & financial companies.
If Your Data is Leaked
Imperva Research Labs has found that data-leakage incidents have increased 557% over the past 12 months, & are up 74% since the beginning of 2021, according to Ron Bennatan, General Manager for Data Security for Imperva.
“Enterprises need to stop thinking of application security & data security as disparate entities, because attackers certainly aren’t thinking that way, & it’s creating opportunities for them to access data,” he stated. “A good enterprise takes a data-centric approach & secures the data itself, & not just the endpoints connected to the database.”
Cloud misconfigurations that leave data publicly exposed happen all the time, in other words & unfortunately, there’s very little that end users can do to protect themselves from an exposure. But there are steps to take after a data leak occurs, researchers stated.
“End users can take proactive steps to protect themselves when their data does get exposed,” Irene Mo, Senior Consulting Associate at Aleada, explained. “My 2 top tips are: 1) set up multifactor authentication for every account that offers it, & 2) lie on account security questions.
The answers to common security questions, like a user’s childhood street name or their favourite colour, can be found publicly online. If a user lies on their security questions, only the user knows how they lied. To keep track of their lies, a bonus tip, use a password manager.”