Almost two dozen (23, to be precise) Android apps found on the Google Play Store are at the heart of the issue. Researchers from cybersecurity experts Check Point said the offending Android apps were using unprotected real-time databases which led to the issue. This misconfigurations of third party cloud services meant personal data such as emails, passwords, photos, chat messages and location info could have ended up with bad actors.
This, in turn, could lead to identity theft and service swipes, CheckPoint warned.
The offending apps ranged in popularity from as little as 10,000 downloads from the Google Play Store to over 10million. Popular Play Store apps that CheckPoint highlighted included Logo Maker, Screen Recorder and Astro Guru.
This trio of apps all have over 10million Google Play Store installs and – in the case of Screen Recorder – was rated by hundreds of thousands of Android users. In total, CheckPoint highlighted a dozen Google Play Store apps that had over 10million installs, with three – such as iFax – having over 500,000 users.
Most of the apps CheckPoint analysed had real-time database that was unprotected, which exposed sensitive user information. In a study online, the security experts said misconfiguration of real-time database is a widely common issue that affects millions of users. And they said that this issue could be avoided with a simple and basic feature such as authentication.
CheckPoint said: “Real-time databases allow application developers to store data on the cloud, making sure it is synchronised in real-time to every connected client. This service solves one of the most encountered problems in application development, while making sure that the database is supported for all client platforms. However, what happens if the developers behind the application do not configure their real-time database with a simple and basic feature like authentication?
“This misconfiguration of real-time databases is not new, and continues to be widely common, affecting millions of users. All CPR researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorised access from happening.
“While investigating the content on the publicly available database, we were able to recover a lot of sensitive information including email addresses, passwords, private chats, device location, user identifiers, and more. If a malicious actor gains access to this data, it could potentially lead to service-swipes (ie. trying to use the same username-password combination on other services), fraud, and/ or identity-theft.”
You can find a full list of the offending apps, and its corresponding vulnerability, in this article – courtesy of Bleeping Computer.
CheckPoint said they approached Google prior to publishing their findings, and a few of the aforementioned apps went on to change their configuration.
Advising Android users on how to stay safe, CheckPoint said effective mobile threat solutions – which the firm offers themselves via Check Point Harmony Mobile, can detect and respond to a variety of different attacks.
Published at Sun, 23 May 2021 03:01:00 +0000