Misconfiguration of third-party mobile apps exposes 100 million users' data
Despite the obvious advantages of modern cloud-based mobile
application development solutions – such as cloud storage,
notification management, real-time databases and analytics – many
developers of these solutions fail to adequately consider the
potential security risks associated with these apps being
misconfigured.
Recently, Check Point Research uncovered misconfigurations and
implementation issues that exposed the data of 100 million mobile
application users. This type of exposure puts both users and app
developers at risk of reputational threats and security damage. In
this case, developers left notification managers, storage
locations, and real-time databases open to attackers, leaving 100
million users vulnerable.
In terms of real-time databases, cloud services can help mobile
app users sync their data to the cloud in real-time. However, if
developers do not correctly implement this service with
authentication, theoretically any user can access this database,
including all mobile customer data. In fact, the researchers were
surprised that there were no barriers to accessing these open
databases for specific apps on Google Play. Some of the aspects
obtainable in this case were device locations, email addresses,
passwords, private chats, and user IDs, among other attack
vectors. Such vulnerabilities put all these users at risk for
fraud and identity theft.
In fact, popular horoscope app Astro Guru is one app with such
vulnerabilities, potentially exposing all users to a leak of
personally identifiable information (PII) — such as date of birth,
email, gender and location, and payment information — according to
a recorded figure of 10 million Downloads.
Similarly, the taxi app T'Leva, which already boasts more than
50,000 installs, allowed researchers to retrieve users' full names
as well as phone numbers and both destinations and intended pickup
locations by just sending a query to the database.
Next, the researchers also found that even the push notification
manager had become vulnerable. This means that any malicious actor
who can gain access to the manager could send users notifications
on behalf of the developer.
Additionally, cloud storage of these mobile apps poses a
particular risk for users as the research team also found that
many developers have disclosed both the access keys and secret
keys to stored data within the Screen Recorder service
application. Apparently, a cursory analysis of the application
file allowed researchers to recover these keys and access user
records.
Finally, research has shown that CopyCat malware is also capable
of retrieving keys for compromised cloud storage services, showing
how malicious developers can exploit these vulnerabilities as
well.