Blog

Compet Concept


Misconfiguration of third-party mobile apps exposes 100 million users' data

Despite the obvious advantages of modern cloud-based mobile application development solutions – such as cloud storage, notification management, real-time databases and analytics – many developers of these solutions fail to adequately consider the potential security risks associated with these apps being misconfigured.

Recently, Check Point Research uncovered misconfigurations and implementation issues that exposed the data of 100 million mobile application users. This type of exposure puts both users and app developers at risk of reputational threats and security damage. In this case, developers left notification managers, storage locations, and real-time databases open to attackers, leaving 100 million users vulnerable.

In terms of real-time databases, cloud services can help mobile app users sync their data to the cloud in real-time. However, if developers do not correctly implement this service with authentication, theoretically any user can access this database, including all mobile customer data. In fact, the researchers were surprised that there were no barriers to accessing these open databases for specific apps on Google Play. Some of the aspects obtainable in this case were device locations, email addresses, passwords, private chats, and user IDs, among other attack vectors. Such vulnerabilities put all these users at risk for fraud and identity theft.

In fact, popular horoscope app Astro Guru is one app with such vulnerabilities, potentially exposing all users to a leak of personally identifiable information (PII) — such as date of birth, email, gender and location, and payment information — according to a recorded figure of 10 million Downloads.

Similarly, the taxi app T'Leva, which already boasts more than 50,000 installs, allowed researchers to retrieve users' full names as well as phone numbers and both destinations and intended pickup locations by just sending a query to the database.

Next, the researchers also found that even the push notification manager had become vulnerable. This means that any malicious actor who can gain access to the manager could send users notifications on behalf of the developer.

Additionally, cloud storage of these mobile apps poses a particular risk for users as the research team also found that many developers have disclosed both the access keys and secret keys to stored data within the Screen Recorder service application. Apparently, a cursory analysis of the application file allowed researchers to recover these keys and access user records.

Finally, research has shown that CopyCat malware is also capable of retrieving keys for compromised cloud storage services, showing how malicious developers can exploit these vulnerabilities as well.