Cloud-based additions to mobile apps have become commonplace, but they’re not always best for consumers or developers. According to new research, either due to poor configuration or the simple lack of good security practices, some mobile app developers have put at risk the personal data of more than 100 million people.
The cyber-threat intelligence company Check Point Research (hereinafter CPR) recently discovered that many application developers put user data at risk by failing to follow best practices when it comes to “configuring and integrating third-party cloud in applications ”. This vulnerable data could include both developer and consumer information, which is an incentive for this not to happen.
After making this alarming discovery, CPR delved into how more than 100 million users ’personal data, such as emails, passwords, names, and more, were exposed to malicious actors. It turns out that it’s as simple as not enabling proper authentication techniques for a real-time database to store data in the cloud. CPR researchers could access databases that contained emails, passwords, usernames, dates of birth, chat messages, and more, making it a nightmare of privacy.
CPR found Astro Guru, an “astrology, horoscope, and palmistry app with more than 10 million downloads,” with a leak problem.
This was achieved by removing the access keys to the private cloud storage from the application files and then easily accessing the databases. These keys could exist in plain text, encoded in Base64, or in other methods that are not foolproof or even secure. It was even found that malicious software-laden applications had these problems, so researchers could enter and modify all the data that was in the cloud storage of these applications.
While there is no amazing way to detect such vulnerabilities directly, CPR suggests using its “Check Point Harmony Mobile” app, which “automatically analyzes and identifies mobile security threats and vulnerabilities”. In addition, users should be wary of the apps they download, using only trusted source and branded apps. At the end of the day, there are better ways to find your horoscope than downloading a random app and connecting personal information. Otherwise, we can tell you your horoscope: “You are vulnerable to data theft and you should be more alert.”