Android Mobile Phone Users

Android app ‘misconfigurations’ make 100m users vulnerable to cyberattacks: Report

*Cybersecurity experts disclose that the developers behind 23 mobile Android apps did not configure their real-time database properly, putting consumers’ data at risk

Isola Moses | ConsumerConnect

Researchers from cybersecurity security firm Check Point Research have discovered that a number of Android apps had “misconfigurations” on ‘cloud services’, while leaving user data belonging to more than 100 million consumers vulnerable to a variety of malware attacks.

ConsumerConnect learnt Check Point, in a report published Thursday, May 20, 2021, said it recently found out that the developers behind nearly two dozen mobile apps didn’t configure their real-time database properly.

The firm stated that “real-time database allows application developers to store data on the cloud, making sure it is synched in real-time to every connected client.”

According to the team, in the last few months, many application developers have “put their data and users’ data at risk” by failing to ensure that authentication mechanisms were in place.

The team further reported that “by not following best practices when configuring and integrating 3rd party cloud services into applications, millions of users’ private data was exposed.

“In some cases, this type of misuse only affects the users, however, the developers were also left vulnerable.

“The misconfiguration put users’ personal data and developer’s internal resources, such as access to update mechanisms and storage at risk.”

In connection with the 23 mobile apps examined,

The researchers said from the 23 Android apps they examined, Check Point noted that they included a taxi app with over 50,000 installs, a logo maker, a screen recorder with over 10 million downloads, a fax service, and astrology software, among others all contained a variety of security shortcomings.

Check Point said the apps were leaking data that included email records, chat messages, location information, user IDs, passwords, and images.

Thirteen of the apps left sensitive data publicly available in unsecured cloud setups.

In the case of the Angolan taxi app “T’Leva,” the researchers found that they were able to obtain user data, including messages exchanged with drivers, riders’ full names, phone numbers, and destination and pickup locations.

Describing the development as a ‘disturbing reality’, Aviran Hazum, Check Point’s Manager of Mobile Research, said the study “sheds light on a disturbing reality where application developers place not only their data, but their private users’ data at risk.”

Thus, when app developers fail to follow the “best practices” when configuring and integrating third party cloud services, the researchers said it could potentially leave users vulnerable to several types of cybersecurity threats.

Researchers said: “This misconfiguration of real-time databases is not new, but [..] the scope of the issue is still far too broad and affects millions of users.

“If a malicious actor gains access to this data it could potentially result in service-swipe (trying to use the same username-password combination on other services), fraud, and identity theft.”

The firm said it informed the app developers of the vulnerabilities, and a few have since changed their configuration.

Kindly Share This Story