Check Point researchers discovered that sensitive information of more than 100 million Android users was exposed due to cloud services misconfigurations.
The researchers listed 23 Android apps on the Google Play store with 10,000 to 10 million downloads affected by cloud security misconfigurations.
They noted that the security flaws not only put sensitive user data at risk but also internal development resources and updating mechanisms used by the Android app developers.
They also noted that the large number of affected mobile apps indicated a widespread problem.
Cloud services misconfiguration exposes PII, real-time and payment data and on popular Android apps
Android mobile app developers use real-time databases to synchronize real-time communication and synchronization in Android apps.
However, Check Point researchers discovered that many developers failed to follow proper security practices when configuring and integrating cloud services.
“By not following best practices when configuring and integrating third-party cloud services into applications, millions of users’ private data was exposed,” researchers said.
They discovered that many Android app cloud databases were unsecured, allowing anybody to access sensitive user information of over 100 million users.
“While investigating the content on the publicly available database, we were able to recover a lot of sensitive information including email addresses, passwords, private chats, device location, user identifiers, and more,” the researchers noted. “If a malicious actor gains access [to] this data it could potentially result in service-swipes (i.e. trying to use the same username-password combination on other services), fraud, and identity theft.”
A dozen Android apps with more than 10 million Google Play installs exposed real-time databases storing sensitive user information.
An Android astrology and horoscope prediction app with over 10 million downloads, Astro Guru was affected. It exposed sensitive user information, including email addresses, date of birth, name, gender, location, and payment details.
Another Android app, Logo Maker, with over 10 million installs, exposed users’ email addresses, passwords, username, and ID.
One of the Android apps downloaded over 10 million times, Screen Recorder, exposed cloud storage keys giving attackers access to screen recordings stored on cloud platforms. iFax, an Android app with over 500,000 users, also exposed cloud storage keys giving hackers access to fax transmissions.
The researchers could access real-time chat messages, location, users’ full names, and phone numbers by sending a request to the database used by the T’Leva taxi app with over 50,000 installs.
“In some cases, this type of misuse only affects the users, however, the developers were also left vulnerable,” Check Point noted. “The misconfiguration put users’ personal data and developer’s internal resources, such as access to update mechanisms and storage at risk.”
The cybersecurity firm also said that misconfigured cloud services “left corporate resources vulnerable to malicious actors.”
Exposed details could be also used by attackers in credential stuffing attacks. Threat actors could use real-time communication and notification services to push fake news or malicious links to users who trust these android apps.
“Since the notification originated from the official app, the users will not suspect a thing, as they are sure that this notification was sent by the developers,” the report authors wrote.
Developers provide fake solutions while hackers incorporate the flaws in exploit kits
Check Point also discovered that many app developers attempted to cover up these security lapses by providing fake solutions that did not fix the problems. Some also used the reversible Base64 encoding to hide keys within Android apps.
Threat actors could decode these keys and use them for malicious purposes after breaching misconfigured cloud services. CopyCat malware had already incorporated these bad security practices in their mobile exploit kits.
Check Point notified the app developers of the cloud services’ misconfigurations before publishing its findings to prevent hackers from exploiting the affected Android apps.
While cloud services provide improved performance and flawless synchronization between servers and clients, many app developers are inexperienced in securing them.
James McQuiggan, Security Awareness Advocate at KnowBe4, says that “While it is disappointing that these apps expose so much sensitive information about their users online, it stresses that mobile and development app platforms need to implement two concepts into their vetting.”
He suggests that all apps should undergo security verification of the data storage environment before distribution.
“Second, programming platforms need to include a security audit and review within the code to ensure no opportunities for exploits against it,” McQuiggan adds. “This review would cover the basic security protections recommended by OWASP (Open Web Application Security Project) to protect the applications. These can include user authentication, safeguarding sensitive data, and checking for other security misconfigurations.”
Irfahn Khimji, Country Manager at Tripwire Canada, noted that misconfiguration of cloud services had become too common. He attributed the problem to the rapid growth of cloud-based storage.
“A misconfigured database on an internal network might not be noticed, and if noticed might not go public, but the stakes are higher when organizational data storage is directly connected to the Internet.
“Organizations should identify processes for securely configuring all systems, including cloud-based storage, such as Azure Blob Storage, Amazon S3 Buckets, and Elasticsearch. Once a process is in place, the systems must be monitored for changes to their configurations as change detection is key for securing an organization’s cloud storage and preventing inadvertent exposure.”
Tom Garrubba, CISO at Shared Assessments, noted that there was also the false perception that Google tests all applications before approving them on the Play Store.
“The truth is: many mobile app developers follow no development methodology, let alone employ basic application security controls to ensure that the downloader’s data is secured – the developers simply want to get the app to market.”
Dr. Chenxi Wang, General Partner at Rain Capital and former Forrester VP of Research and Carnegie Mellon professor, says that app platforms must provide deeper testing and verification tools. Additionally, they must also incentivize developers to observe proper security practices, according to Dr. Wang.