Android apps exposed data of millions of users through cloud authentication failures

Malicious apps are not the only security problem on our handsets: misconfiguration can also put us at risk.

Researchers analyzing Android apps have discovered serious cloud misconfigurations leading to the potential exposure of data belonging to over 100 million users. 

In a report published on Thursday by Check Point Research, the cybersecurity firm said no less than 23 popular mobile apps contained a variety of "misconfigurations of third party cloud services."

Cloud services are widely used by online services and apps today, perhaps even more so due to the rapid shift to remote working caused by the coronavirus pandemic. While useful in data management, storage, and processing, it only takes one access or authorization oversight to expose or leak records held. 

Apps, in particular, will often integrate with real-time databases to store and synchronize data across different platforms. However, the developers of some of the apps examined failed to make sure authentication mechanisms were in place.

According to CPR, the 23 Android apps examined -- including a taxi app, logo maker, screen recorder, fax service, and astrology software -- leaked data including email records, chat messages, location information, user IDs, passwords, and images. 

In 13 cases, sensitive data was publicly available in unsecured cloud setups. These apps accounted for between 10,000 and 10 million downloads each. 

While investigating the taxi service app, for example, the team was able to send one simple request to the app's database and pull up messages sent between drivers and customers, names, phone numbers, and both pick-up and drop-off locations.

The cloud services providing backend data management for the screen recorder and fax apps, too, were not adequately secured. CPR was able to recover the keys to grant access to stored recordings and fax documents by analyzing the applications' files. 

Push notification keys were also found in the apps, left open to abuse. If push services are exploited, they can be used to send malicious alerts to app users. 

The researchers say these security failures are due to developers failing to follow "best practices when configuring and integrating third party cloud services into their applications."

"This misconfiguration of real-time databases is not new, but [..] the scope of the issue is still far too broad and affects millions of users," CPR says. "If a malicious actor gains access to this data it could potentially result in service-swipe (trying to use the same username-password combination on other services), fraud, and identity theft."

CPR informed the app developers of the misconfigurations prior to disclosure and several have tightened up their controls.

Earlier this month, the researchers published an advisory on Qualcomm MSM data services and the discovery of a vulnerability that could theoretically be used to tamper with and inject malicious code into Android handset modems.  

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0