Thousands of mobile app cloud databases have been left exposed online

Open Lock
(Image credit: Pixabay)

Businesses continue to leave their cloud databases unsecured online despite the risk of company data and even user data being exposed.

Following a three month study, Check Point Research (CPR) found 2,113 mobile applications whose databases were unprotected in the cloud and could be accessed by anyone with a browser

The mobile apps with exposed databases ranged from those with more than 10k downloads all the way to very popular apps with over 10m downloads. CPR found a wide variety of sensitive data from the apps in question including chat messages, personal photos, phone numbers, emails, user names, passwords and more.

Head of threat intelligence and research at Check Point Software, Lotem Finkelsteen explained how the firm's security researchers were easily able to find these exposed databases using the free online tool VirusTotal, saying:

“In this research, we show how easy it is to locate data sets and critical resources that are open on the cloud to anyone who can simply get access to them by browsing. We share a simple method of how hackers can possibly do it. The methodology entails searching public file repositories like VirusTotal for mobile applications that use cloud services. A hacker can query VirusTotal for the full path to the cloud backend of a mobile application. We share a few examples of what we could find in there ourselves. Everything we found is available to anyone. Ultimately, with this research we prove how easy it is for a data breach or exploitation to occur. The amount of data that sits openly and that is available to anyone on the cloud is crazy. It is much easier to breach than we think.”

Mobile apps with exposed databases

In a new blog post, CPR provided several examples from its study without mentioning the names of the mobile apps that had left their cloud databases unsecured online.

The first app is for a large department store chain in South America which has been downloaded more than 10m times. By searching VirusTotal, CPR was able to find API gateway credentials and an API key. To make matters worse, these credentials were in plain text and anyone would be able to read them and use them to access the accounts of the department store's customers.

The next app is a running tracker application designed to track and analyze a runner's performance and it has been downloaded over 100k times. Its database contained users' GPS coordinates and other health parameters like their heart rates. With this information in hand, an attacker could create maps to track the whereabouts of the app's users.

Next up, CPR found the exposed database of a dating app for people with disabilities. This database contained 50k private chat messages along with pictures of the senders. CPR also found the exposed database of a widely used logo maker application that has been downloaded more than 10m times. Inside the database there were 130k usernames, emails and passwords.

In addition to these apps, CPR also came across the unsecured databases of a popular PDF reader as well as a bookkeeping application.

In the same way that security experts recommend that consumers protect their smartphones, tablets and laptops with strong and complex passwords, so too should businesses that use cloud databases to store data for their mobile apps.

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.