Image courtesy: fierce telecom
Mobile applications unveil user data that includes emails, chat messages, location, and passwords.The Security researchers have unearthed 23 Android apps that exposed over 100 million user’s personal data via various misconfigurations of third-party services of the cloud.
According to the CheckPoint Research, the data unveiled from the android applications included emails, chat messages, location, passwords, and photos. Researchers said that it left users exposed to fraud, identity theft, and service swipes (by using the same username-password combination on other services).
There are 10,000 to 10 million downloads for those 13 android applications :
The first trouble researchers had discovered was the misconfiguration of real-time database developers used to hoard data in the cloud and synchronize with connected users.In 13 Android applications, whose download number ranges from 10 thousands to 10 million, no authentication was in place to avert hackers from retrieving these databases containing e-mail addresses, passwords, private chats, device locations, user identifiers, and many more.
User’s personal data were also easily accessible :
With over 50,000 downloads, researchers could gain access to chat messages in between the drivers and the passengers. They could also gain access to user’s full names, phone numbers, and their locations (destinations and pick-ups) – all by sending a single request to the database.Most of the push notification services need a key or sometimes keys to recognize the identity of the request submitter. When those keys get embedded into the application file itself, it becomes easy for hackers to get control and gain the ability to send those notifications, which might contain spiteful links or content for the users in favor of the developer.
The third problem happened in cloud storage. In one application, researchers could gain access to cloud storage keys that are embedded into the application and all the stored fax transmissions.According to researchers, by just analyzing the application, a spiteful actor could get access to any and all of the documents sent by the 5 lakh users who downloaded this application.According to researchers they have approached Google and each application developer before getting their research published to share their findings.
image courtesy: CloudPassage