Monday, May 24, 2021 06:00 AM (GMT+7)
More than 100 million users of nearly two dozen Android apps have had their personal data exposed.
According to new research from Check Point Research (CPR), it has discovered that the problem stems from how developers misuse third-party cloud services. The company released a report revealing specific examples of vulnerable apps, including astrology, taxis, screen recording, and mobile fax apps. CPR also found publicly available sensitive data from a real-time database connected to several Android apps that have garnered between 10,000 and 10 million installs. Personal data including emails, chat messages, passwords, and photos… In addition, CPR also finds push notifications and cloud storage keys embedded in many Android apps.
There are three listed apps that leak user personal data.
CPR explains in an email on the matter that “A real-time database is a database that operates on live and constantly changing data, not persistent data stored on disk. . Application developers depend on real-time databases to store data in the cloud… If a bad guy gets access to sensitive data extracted by CPR, it can potentially lead to fraud, identity theft, and the service is trying to use the same username-password combination on other services.”
As described, with mobile apps becoming a ubiquitous part of our lives, it’s not just the apps themselves that need to be secure. Developers also need to stop considering the security aspect of mobile services and packages, such as cloud-based storage, real-time databases, analytics, and information management. newspaper.
Examples of Android apps cited by CPR in this new report are Astro Guru, T’Leva, and Logo Maker. T’Leva is a taxi app that received 50,000 downloads, while Astro Guru (astrology app) and Logo Maker (graphic design app) reached 10 million downloads.
There are apps that have been downloaded millions of times.
Regarding the CPR data found extracted from each app, the report identified the following from each app:
– Astro Guru: name, date of birth, gender, location, email and payment details.
– T’Leva: chat messages between driver and passenger, retrieve user’s full name, phone number and location (destination and pick up point).
– Logo Maker: email, password, username, username.
“Most of the apps we’ve reviewed are still exposing data,” said Aviran Hazum, CPR’s mobile software manager. The collection of data, especially by a malicious actor, is very serious. Ultimately, the victim becomes vulnerable to a variety of attack vectors, such as impersonation, identity theft, phishing, and service swipes. Our latest research sheds light on a disturbing reality where app developers put not only their data, but users’ private data, and put them at risk.”
“By not following best practices when configuring and integrating third-party cloud services into applications, tens of millions of users’ private data was exposed. This real-time database misconfiguration isn’t new, but we’re surprised the scope of the problem is still so broad and affects millions of users. All our researchers had to do was try to access the data. There is nothing to prevent unauthorized access from being processed,” Hazum added.
Apple devices are now no longer safe from malware, and if you encounter signs like in the article,…