Android apps put data of 100 million Google Play Store users at risk

System Hardening Android
(Image credit: Google)

Security researchers have discovered that some popular Android apps leaked the data of over 100 million users after developers failed to properly configure their third party cloud services.

News of the widespread data leak comes from a study of just 23 apps by cyber threat intelligence vendor Check Point Research (CPR).

Its research turned up all kinds of personal data including emails, chat messages, location, passwords and photos, which CPR argues could lead to identity-theft and fraud.

TechRadar needs yo...

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

The cybersecurity company says cloud services such as cloud storage, cloud databases, cloud analytics, and such have become an inherent part of a mobile application developers’ workflow, yet many refuse to follow security best practices when configuring them.  

“Modern cloud-based solutions have become the new standard in the mobile application development world....Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content,” says CPR.


CPR researchers note that it didn’t take them much effort to access sensitive data from real-time databases in thirteen Android apps, many of which have clocked millions of downloads.

More troubling is the fact that CPR found keys for push notifications and cloud storage embedded inside a number of Android apps themselves. If malicious attackers get hold of the push notification keys of an app, they can send malevolent content via notifications to users of the app.

Similarly, they were able to retrieve the cloud storage keys for some popular apps, which allowed them to view details that the users of the apps have entrusted to the app.

CPR has identified several apps, along with their security shortcomings, in their analysis, though they add that they approached both Google and the developers of the apps before sharing their findings.

“A few of the apps have changed their configuration,” shares CPR suggesting that many apps failed to mend their ways despite being warned. 

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.