Numerous Android apps in the Google Play Store have been spotted to leak personal user data due to misconfigurations in their settings.
In a recently published report, researchers from Check Point have published a list of Android applications that, according to them, might expose more than a hundred million smartphone users and developers to malicious assaults.
The professionals observed that the listed Android applications had a number of misconfigurations related to third-party cloud services. According to them, these misconfigurations had made the personal data (including emails, text messages, location, passwords and images) of millions of users publicly accessible.
The main problem with the apps stems from the fact that developers are not applying best practices when setting and connecting third party cloud services to their applications.
A major issue pointed in the report is that real-time databases that allows for cloud storage of data are commonly misconfigured, which allows for easy access to all the stored sensitive information without utilizing authentication.
To prove their point, the researchers have revealed that, during their analysis on apps that were found to have this real-time database misconfiguration, they were able to see chat messages, retrieve a users’ full name, phone numbers, and locations from a popular taxi app called T’Leva. They also were able to obtain data such as date of birth, gender, and payment details from an astrology App named Astro Guru.
The revelations in the study point out to the fact that users using the listed Android apps could easily have their personal data exposed to malicious actors, not due to flaws in the apps’ development but due to developers failing to correctly configure and protect the access to their apps by third-party services.
The research states that mobile app developers have not exposed this data purposefully. However, the detected misconfigurations make it easy for attackers to get their hands on personal information that could later be utilized for hostile assaults.
According to the published information, while developers of all apps mentioned in the report have been informed, only a few of them have taken action to address the detected misconfiguration issues and change their settings.
Leave a Comment