Check Point Software Technologies researchers gained access to data from more than 100 million Android users due to misconfigured cloud-based storage solutions. They released their findings on May 20, citing 23 high-demand mobile apps as dangerous to internal user data due to disregards in cloud-based storage security configurations. Real-time databases, cloud-based storage, and notification managers were misconfigured, leaving both developers and users exposed. Both secret and access keys were embedded in the same service that stores personal data.
Mishandling of these cloud-based solution services revealed personal information such as passwords, email addresses, device location, private messages, user IDs, and more. For example, Astro Guru, an astrology application downloaded more than ten million times, exposed the personal information and payment details of its users due to insecure synchronization, which could have been avoided with proper protection. against identity theft. Similarly, Check Point researchers managed to acquire chat messages exchanged between drivers and passengers on the T’Leva taxi app. More than 50,000 users filtered their correspondence within the app with a single request sent to the app’s real-time database. Users’ full names, locations, and phone numbers were also included in the filter. The last example is a screen recording and storage application called Screen Recorder; the app has over 10 million users. Its developers embedded passwords in the same database they used to store recordings, essentially offering them to anyone who decided to look at it.
Cloud storage in mobile applications is a very convenient solution for developers. However, this widespread configuration and deployment management puts data on developers and users at risk. Check Point Software researchers have found dozens of cases where developers tried to hide how they keep cloud service keys in their applications by providing a solution that doesn’t fix the problem. Researchers had contacted Google and app developers before publishing their results. However, only a few applications have evaluated its configuration since.