Private Data From 100 Million Android Users At Risk Due To Cloud Leak
Cloud-based additions to mobile apps have become commonplace, but they are not always the best thing for consumers or developers. According to new research, by either misconfiguration or simple lack of security
best practices, some mobile app developers have left the personal data of over 100 million people at risk.
Cyber threat intelligence company Check Point Research (hereafter CPR) recently discovered
that many application developers put user data at risk by not following best practices when “configuring and integrating 3rd party cloud services into applications.” This vulnerable data could include both the developers’ as well as the consumers’ information, which is quite the incentive to not have this happen.
After making this alarming discovery, CPR dug into how over 100 million user’s personal data like emails, passwords, names, and more were left exposed to malicious actors. As it turns out, it is as simple as not enabling proper authentication techniques for a real-time database for storing data in the cloud. The CPR researchers could access databases containing emails, passwords, usernames, birth dates, chat messages and much more, all of which makes for a privacy
CPR found Astro Guru, an "astrology, horoscope and palmistry app with over 10 million downloads," with a leakage problem.
This was accomplished by scraping private cloud storage
access keys from application files and then easily accessing databases. These keys could exist in cleartext, encoded in Base64, or other methods which are not foolproof nor even safe. It was even found that malware-laden apps had these issues, meaning the researchers could go in and modify all data that existed in the cloud storage for said apps.
While there is no amazing way to detect these sorts of vulnerabilities outright, CPR suggests using its “Check Point Harmony Mobile” app, which “automatically scans and identifies mobile security threats and vulnerabilities.” Moreover, users need to be cautious of apps that they download, only using ones from reputable sources and brand names. At the end of the day, there are better ways to find your horoscope than downloading a random app and plugging in personal information. Otherwise, we can tell you your horoscope instead: “You are vulnerable to data theft, and you should be more alert.”