Mobile app developers have potentially exposed the data of more than 100 million users due to misconfigurations of third-party cloud services, report researchers who analyzed Android apps.
The Check Point Research (CPR) team examined 23 Android applications and found multiple kinds of misconfigurations that may have exposed emails, chat messages, location, passwords, and photos. These misconfigurations may have also put developers' internal resources at risk.
In 13 of these applications, CPR found publicly available sensitive data from real-time databases that allow app developers to store data in the cloud and ensure it's synchronized to connected clients in real time. Some real-time databases were not configured with authentication, so the team could access data like chats and passwords by simply sending a request to the database.
A popular taxi app with this misconfiguration has more than 50,000 downloads, researchers report. They were able to access chat messages between drivers and passengers, and retrieve users' full names, phone numbers, and destination and pickup locations by sending a request.
The team also found push notification and cloud storage keys embedded in multiple Android apps themselves. Most push notification services require a key — sometimes multiple keys — to recognize the identity of who submitted a request. When those keys are embedded into the app file, it's easy for attackers to take control and send potentially malicious notifications.
Cloud storage is another common problem. When analyzing the "Screen Recorder" app, which has more than 10 million downloads, researchers were able to recover keys that grant access to each recording. Another app called iFax both had cloud storage keys embedded into the app and stored all fax transmissions there, they report.
Researchers note they disclosed their findings to Google and each app's developer before they published their findings. Some of the apps have since updated their configuration.
Read the full Check Point blog post for more details.