Check Point Research (CPR) have determined mobile app developers have exposed the personal data of over 100 million users. In an examination of 23 Android apps, CPR discovered numerous app developers misusing third-party cloud services, such as real-time databases, notification managers and cloud storage, resulting in data exposure of not only themselves, but that of users. Personal data of users included emails, chat messages, location, passwords and photos, among others.
- CPR discovered publicly available sensitive data from real-time databases in 13 Android applications, each having downloads ranging from 10,000 installations to 10 million
- CPR found push notification and cloud storage keys embedded into a number of Android applications themselves
- CPR shows real examples of vulnerable applications: an astrology, taxi, logo-maker, screen recording and fax app
Misconfigurations of Real-time Database
A real-time database is one that works on live and constantly changing data, rather than persistent data that is stored on a disc. App developers depend on real-time databases to store data on the cloud. CPR successfully accessed sensitive data from real-time databases of 13 Android applications, ranging from 10,000 to 10 million downloads. If a malicious actor gains access to the sensitive data extracted by CPR, it would potentially lead to fraud, identity-theft and service-swipes, which is trying to use the same username-password combination on other services.
CPR is providing three examples found on the Google Play Store that were vulnerable to misconfigurations of real-time databases:
App Name | Description | Data Extracted | # of Downloads |
Astro Guru | Popular astrology, horoscope and palmistry app | Name, date of birth, gender, location, email and payment details | 10 million |
T’Leva | Taxi app | Chat messages between drivers and passengers and retrieve users full names, phone numbers, and locations (destination and pick-up) | 50,000 |
Logo Maker | Free graphic design and logo templates | Email, password, username, user-ID | 10 million |
Found: Push Notification Keys Embedded into Apps
Developers need to send push notifications to engage with users. Most push notifications services require a key to recognise the identity of the request submitter. CPR found these keys embedded into a number of applications themselves. While the data of the push notification service is not always sensitive, the ability to send notifications on behalf of the developer is more than enough to lure malicious actors.
Found: Cloud Storage Keys Embedded into Apps
Cloud storage on mobile applications is an sophisticated solution to access files shared by either the developer or the installed application. CPR found applications on Google Play with cloud storage keys exposed. Please see examples below:
App Name | Description | Data Extracted | # of Downloads |
Screen Recorder | Used to record the device’s screen and store the recordings on a cloud service | Access to each stored recording | 10 million + |
iFax | Send fax from phone, receive fax for free | Stored fax transmissions | 500,000 |
Many app developers know that storing cloud-service keys in their application is bad practice. After analysing dozens of cases, CPR found a few examples of developers tried to “cover-up” the problem with a solution that did not fix the problem.
Quote: Aviran Hazum, Manager of Mobile Research at Check Point Software:
“Most of the apps we took a look at are still exposing the data now. Data gathering, especially by a malicious actor, is very serious. Ultimately, victims become vulnerable to many different attack vectors, such as impersonations, identify theft, phishing and service swipes. Our latest research sheds light on a disturbing reality where application developers place not only their data, but their private users’ data at risk. By not following best-practices when configuring and integrating third party cloud-services into applications, tens of millions of users’ private data has been exposed. We hope our research sends a strong message to the developer community to be extra careful on how they use and configure third party cloud services. To solve, developers need to scan their applications for the vulnerabilities we’ve outlined.”
How Mobile Phone Users can Stay Safe
To mitigate for the threats outlined in this research, CPR recommends the installation of an effective mobile threat defense solution that can detect and respond to a variety of different attacks, while providing a positive user experience.
Responsible Disclosure
CPR approached Google and each of these apps´ developers prior to the publication of this blog to share our findings. Afterwards, one of the apps changed their configuration.