Misconfiguration of back-end cloud services by more than 20 mobile app developers may have exposed the personal data of over 100 million Android users, according to researchers.
A team at Check Point investigated 23 Android applications in a new piece of research, and found users’ emails, chat messages, location, passwords and photos all exposed by poor security practices.
There were three main issues. First, misconfiguration of the real-time databases that developers use to store data in the cloud and synchronize it with every client instantaneously.
In 13 of the apps studied, no authentication was deployed, enabling would-be attackers to access highly sensitive user data such as email addresses, passwords and private chats.
The second security snafu regarded push notification manager services.
“Most push notification services require a key (sometimes, more than one) to recognize the identity of the request submitter,” Check Point explained. “When those keys are just embedded into the application file itself, it is very easy for hackers to take control and gain the ability to send notifications which might contain malicious links or content to all users on behalf of the developer.”
The third issue was with cloud storage: again the researchers were able to find cases where developers had stored keys in the app file itself, enabling attackers to access sensitive user information.
Check Point said some, but not all, of the developers it contacted prior to publication had changed their configurations to mitigate the highlighted issues.
“This is the perfect storm of three issues — cloud misconfigurations, cloud credential leaks, and overly permissive mobile apps collecting more personal information than needed. Mobile apps usually rely on public cloud-based backend services like databases, analytics, and storage which are prime candidates for misconfiguration,” argued Saumitra Das, CTO of Blue Hexagon.
“Additionally, they release their code openly on app stores making it easier for folks to reverse engineer the inner workings. It is a common mistake to leave cloud access keys in code repositories and apps. Simple encodings like base64 are not enough to obscure the access keys which can allow anyone to then get access to customer PII being collected by the app in the cloud.”
A team at Check Point investigated 23 Android applications in a new piece of research, and found users’ emails, chat messages, location, passwords and photos all exposed by poor security practices.
There were three main issues. First, misconfiguration of the real-time databases that developers use to store data in the cloud and synchronize it with every client instantaneously.
In 13 of the apps studied, no authentication was deployed, enabling would-be attackers to access highly sensitive user data such as email addresses, passwords and private chats.
The second security snafu regarded push notification manager services.
“Most push notification services require a key (sometimes, more than one) to recognize the identity of the request submitter,” Check Point explained. “When those keys are just embedded into the application file itself, it is very easy for hackers to take control and gain the ability to send notifications which might contain malicious links or content to all users on behalf of the developer.”
The third issue was with cloud storage: again the researchers were able to find cases where developers had stored keys in the app file itself, enabling attackers to access sensitive user information.
Check Point said some, but not all, of the developers it contacted prior to publication had changed their configurations to mitigate the highlighted issues.
“This is the perfect storm of three issues — cloud misconfigurations, cloud credential leaks, and overly permissive mobile apps collecting more personal information than needed. Mobile apps usually rely on public cloud-based backend services like databases, analytics, and storage which are prime candidates for misconfiguration,” argued Saumitra Das, CTO of Blue Hexagon.
“Additionally, they release their code openly on app stores making it easier for folks to reverse engineer the inner workings. It is a common mistake to leave cloud access keys in code repositories and apps. Simple encodings like base64 are not enough to obscure the access keys which can allow anyone to then get access to customer PII being collected by the app in the cloud.”