Security researchers have discovered that some popular Android apps (opens in new tab) leaked the data of over 100 million users after developers failed to properly configure their third party cloud services (opens in new tab).
News of the widespread data leak comes from a study of just 23 apps by cyber threat intelligence vendor Check Point Research (CPR).
Its research turned up all kinds of personal data including emails, chat messages, location, passwords and photos, which CPR argues could lead to identity-theft and fraud.
- These are the best antivirus apps for Android (opens in new tab)
- Also check our roundup of the best privacy apps for Android (opens in new tab)
- Shield yourself with these best identity theft protection services (opens in new tab)
The cybersecurity (opens in new tab) company says cloud services such as cloud storage (opens in new tab), cloud databases (opens in new tab), cloud analytics (opens in new tab), and such have become an inherent part of a mobile application developers’ workflow, yet many refuse to follow security best practices when configuring them.
“Modern cloud-based solutions have become the new standard in the mobile application development (opens in new tab) world....Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content,” says CPR.
Treasure-trove
CPR researchers note that it didn’t take them much effort to access sensitive data from real-time databases in thirteen Android apps, many of which have clocked millions of downloads.
More troubling is the fact that CPR found keys for push notifications and cloud storage embedded inside a number of Android apps themselves. If malicious attackers get hold of the push notification keys of an app, they can send malevolent content via notifications to users of the app.
Similarly, they were able to retrieve the cloud storage keys for some popular apps, which allowed them to view details that the users of the apps have entrusted to the app.
CPR has identified several apps, along with their security shortcomings, in their analysis, though they add that they approached both Google and the developers of the apps before sharing their findings.
“A few of the apps have changed their configuration,” shares CPR suggesting that many apps failed to mend their ways despite being warned.
- Protect your devices with these best antivirus software (opens in new tab)