100M Android Users Exposed in Misconfigured Cloud Databases
Check Point Software Technologies researchers gained access to the data of over 100 million Android users due to misconfigured cloud-based storage solutions. They published their findings on May 20, citing 23 highly sought-after mobile apps as dangerous for internal user data due to oversights in cloud-based-storage security configurations. Real-time databases, cloud-based storage, and notification managers were misconfigured, leaving both developers and users exposed. Both secret and access keys were embedded in the same service that stores personal data.
The mishandling of these cloud-based solution services revealed personal information like passwords, email addresses, device location, private messages, user identifiers, and more. For example, Astro Guru – an astrology app downloaded more than 10 million times – exposed its users’ personal info and payment details due to unsecured syncing, which could have been avoided with appropriate identity theft protection. Similarly, Check Point’s researchers managed to acquire chat messages exchanged between drivers and passengers on the T’Leva taxi app. Over 50,000 users had their in-app correspondence leaked with a single request sent to the app’s real-time database. Users’ full names, locations, and phone numbers were also contained in the leak. The last example is a screen-recording and storing app called Screen Recorder; the app has over 10 million users. Its developers embedded access keys in the same database they used to store recordings, essentially offering them to anyone who decided to look.
Cloud storage on mobile apps is a very convenient solution for developers. However, this widespread mishandling of configuration and implementation put both developer and user data at risk. Check Point Software researchers have found dozens of cases where developers tried to hide how they keep cloud service keys in their apps by providing a solution that doesn’t fix the issue. Researchers had contacted Google and app developers before they published their findings. However, only a few apps have evaluated their configuration since.