Researchers analyzing Android apps have found profoundly worrying cloud misconfigurations that expose the data of more than 100 million users. Check Point Research published a report on Thursday saying that at least 23 mobile applications have a variety of misconfigurations of third-party cloud services.
Cloud services are extensively used by apps and services these days, even more so after the shift in workplace environments that happened as a result of the pandemic. They are useful in data management, processing, and storage. The only problem is that it takes just a single leak or authorization flaw to expose everything.
What we have here is a failure to configure
Apps, in particular, tend to integrate with real-time databases to sync and store data across various platforms. The problem is, developers sometimes fail to ensure that authentication mechanisms are in place. CPR says that the 23 apps examined, leaked personal data including email records, user identification, images, location information, messages, and passwords.
Some of the apps examined include a taxi app, a logo maker, astrology software, and a fax service. In 13 of the cases, sensitive data was available to the public on unsecured clouds. The apps had anywhere from 10,000 to 10 million downloads each.
The implications
During an examination of the taxi app, for instance, the team was able to send a sample request to the database and pulled messages sent between drivers and clients, phone numbers, drop-off, and pick-up locations and names.
The cloud services providing the backend data management for the fax and screen recorder apps were also not secure enough. CPR was able to get the keys to access stored fax documents and recordings, through an analysis of the app files.
CPR informed the developers before disclosing the flaws.