Unencrypted keys and misconfigured access allows hackers to easily access sensitive user data.
In the crowded mobile app marketplace, developers often differentiate themselves by tying up with real-time databases, analytics, and cloud-based storage to offer up-to-the-minute content and functions. These data sources are easily integrated into an app nowadays.
The problem occurs when developers do not properly configure the links to these databases. Some app developers have been found by Check Point Research (CPR) to have misconfigured third-party cloud services, leaving data exposed to malicious actors.
Accessing both the data of the developers and their users would then be child’s play to hackers, who could even communicate to users on behalf of the developers!
According to CPR, the personal data of 100 million users’ e-mails, passwords, chat messages, and even photos have been compromised due to such lapses. As a result, users of leaky apps have become vulnerable to cybercriminals. The firm’s Manager of Mobile Research, Aviran Hazum, commented: “Most of the apps we took a look at are still exposing the data now. Data gathering, especially by a malicious actor, is very serious. Ultimately, victims become vulnerable to many different attack vectors, such as impersonations, identify theft, phishing and service swipes.”
Examples of leaky apps
Here are some examples of apps that CPR had found to be leaking both personal data and real-time data:
- One was a taxi app, T’Leva, which has been downloaded over fifty-thousand times. Researchers were able to access chat messages between drivers and passengers, and retrieve users’ full names, phone numbers, and locations (destination and pick-up)—all by sending one request to the database.
- The other is Astro Guru, is a popular astrology, horoscope and palmistry app with over 10 million downloads. Due to misconfiguration, names, dates of birth, genders, locations, emails and payment details were exposed.
- The app iFax not only had cloud storage keys embedded inside it, but it also stored all fax transmissions there. Some 500,000 users made use of the app and because the keys were just embedded in the app, any hacker can access and analyze all their data.
- The Screen Recorder app, downloaded some 10 million times, records a device screen and store it in the cloud. Within a short time, CPR had found that the keys that permitted access to the data stored in the associated cloud storage service.
An effective mobile threat defense solution can easily find and respond to a number of different attacks while providing a positive user experience. According to Jonathan Knudsen, Senior Security Strategist, Synopsys Software Integrity Group commented that the best way to safeguard security is for app developers to use a Secure Development Life Cycle, in which security is part of every phase of development, from design through implementation, testing, and maintenance.
“In addition to misconfiguration issues, a highly important—and often neglected—part of secure development which impacts user data and privacy is managing the use of open source components. (Our data shows that) almost two-thirds of the most popular apps in the Android Play Store contain vulnerabilities from open source components. Out of those, 94% of the vulnerabilities have publicly documented fixes, meaning the vulnerabilities can be eliminated if the app developers update the app to use the latest versions of the open source components.”
App developers can take note of these ongoing problems in mobile app development and exercise extra careful on how they use and configure third party cloud services and data sources.