Data from more than 100 million Android app users has been exposed due to poor settings related to third-party services.
Detailed on May 20 by researchers at Check Point Software Technologies Ltd., the exhibit covers 23 popular applications that put users ’personal data at risk through the developer’s internal resources, such as access to device mechanisms. upgrade and storage.
The potential breach is primarily due to the use of real-time database access, a service that allows developers to store data in the cloud. The researchers found that they could retrieve sensitive information, including email addresses, passwords, private chats, device location, user IDs, and more, all because the apps didn’t secure access between the app and the database. cloud data.
An example is an app called Astro Guru, which is described as a popular astrology, horoscope and palmistry app with over 10 million downloads. Researchers were able to access personal information, including payment details, due to the insecure way of synchronizing data using real-time cloud-based databases.
The researchers noted that while cloud storage in mobile apps is a sleek solution for accessing files, there can be serious implications if developers incorporate secret keys and access to the same service into their apps. .
“Some of these issues discovered in the Check Point investigation are similar to what we addressed in the iPhone Recorder incident,” Michael Isbitski, technical evangelist for interface security implementation, told SiliconANGLE Security Inc. Application Programming Software “Mobile application developers typically make use of cloud-hosted databases and data storage, such as AWS S3, to store content for mobile customers.”
For some of the Android Check Point apps examined, he explained, the developers incorporated connection keys for storage in the background cloud directly into the code of the mobile app. “It’s a bad practice to encrypt and store static passwords to an application, which in turn is used to connect to an organization’s backend APIs and third-party cloud APIs,” he said.
Ray Kelly, chief security engineer for cloud application security provider WhiteHat Security Inc., noted that developers tend to think that mobile backends are hidden from hackers, a practice known in the cybersecurity industry as ” security through darkness “.
“It’s like hiding the house key under your mantle and thinking your house is safe,” Kelly said. “To ensure that a mobile application is secure, the binary test, network layer, backend storage, and application APIs need to be thoroughly checked for security vulnerabilities that can cause problems such as data leaks “.
Image: control point
Since you are here …
Show your support for our mission by subscribing to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant business and emerging technology content. Thanks!
We support our mission: >>>>>> SUBSCRIBE NOW >>>>>> on our YouTube channel.
… We would also like to tell you about our mission and how you can help us accomplish it. The business model of SiliconANGLE Media Inc. it is based on the intrinsic value of content, not advertising. Unlike many online publications, we don’t have a pay wall or publish banners because we want to keep our journalism open, with no influence or need to chase traffic.Journalism, reporting, and commentary on SiliconANGLE, along with live, unscripted video from our Silicon Valley studio and balloon trotting video equipment elCUB – Take a lot of work, time and money. To maintain high quality, we need the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like reports, video interviews, and other ad-free content here, take a moment to see a sample of video content supported by our sponsors. tweet your support, and keep going back to SiliconANGLE.