100 Million Android Users’ Data Exposed Due to Poor Cloud Security Practices by App Developers

essidsolutions

Thirteen mobile apps on Google Play Store, some of which have over 10 million installations, have cloud security misconfigurations. Put together, a total of more than 100 million Android users, as well as internal developer tools, are exposed and at risk of being hacked.

Approximately 100 million Android users have become the victims of negligence and lack of proper cybersecurity hygiene and are at risk of falling victim to numerous cyberattacks. Researchers at Check Point Software Technologies discovered that more than a dozen popular applications available on the Google Play Store have poor cloud misconfigurations that heavily impact the security posture.

The fact Check Point Research examined just 23 applications, 13 of which were found with lax security implementations, is pretty disconcerting, to say the least.

The world today has moved online. With internet penetration at an all-time high, an increasing number of organizations are leveraging it to deliver their services to consumers. Consumer or user data forms an essential part of how organizations serve their customers, especially in recent times with cloud-based real-time synchronization revolutionizing the game.

What Is Cloud Misconfiguration?

A misconfiguration is when there are crucial gaps in the cloud implementation that can expose an organization and leave sensitive company and customer data unprotected. An IDC study found that cloud misconfiguration is one of the biggest concerns for 67% of senior IT decision-makersOpens a new window (ITDMs). Aqua Security foundOpens a new window that 90% of companies are vulnerable to cloud misconfigurations, while an Accurics report revealed that one in four cloud violations is due to poor configuration.

Despite this, only 8% of small and midsize business users fixed every detected issue while only 1% of enterprise users did. And even as over 50% of organizations get alerts about misconfigured services that have exposed them open to the internet, only 68% of these issues were fixed — and even then, the average time to do so was 24 daysOpens a new window .

Misconfigurations in the cloud resulted in the exposure of 33.4 billion data records in 2018 and 2019, DivvyCloud by Rapid7 foundOpens a new window , costing organizations approximately $5 trillion.

The most common reason behind cloud security misconfigurations is either humans making errors or lack of appropriate infrastructure.

“Modern cloud-based solutions have become the new standard in the mobile application development world,” explained Check Point researchers. “Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content.”

See Also: Cloud Misconfigurations: A Surging but Overlooked Threat

What Was/Is Exposed?

These 13 apps (there may be more) inadvertently expose the personal information of 100 million users by not adhering to best practices when configuring and integrating third party cloud-services into their applications. As a result, emails, chat messages, location, passwords, date of births, photos, and more were exposed to the internet.

Apps with exposed back-ends are downloaded 10,000 to 10 million times. Michael Isbitski, technical evangelist, Salt Security, told Security MagazineOpens a new window , “Some of these issues uncovered in the Check Point research are similar to what we covered in the iPhone recorder incident. Mobile application developers often make use of cloud-hosted databases and data storage, such as AWS S3, to store content for mobile clients. Such cloud services provide essentially unlimited storage, that is accessible from anywhere, and that is perfect for the world of mobile connectivity.”

What’s more is that besides the personal data of millions, which in itself is a serious concern, blunders by developers of the 13 apps identified by Check Point researchers also expose and risk their internal resources. This includes access to update mechanisms, storage, etc.

Overlooked Security Practices in Apps With Misconfigured Cloud

Check Point found that the databases supporting the Android mobile apps weren’t even secured with an authentication mechanism. This is why researchers were able to simply walk in and access the exposed data.

The company specifically notes two apps, Astro GuruOpens a new window , an astrology app, and T’LevaOpens a new window , a taxi service, both of which do not have security authentication in place for respective databases holding personal as well as real-time information of its users.

Isbitski adds, “For the Android apps Check Point investigated, they uncovered data stored in the cloud that did not require authentication and was accessible to anyone. The data included sensitive, personal information like email addresses, user IDs, passwords, chat logs, and more, depending on the use cases for the mobile app and what is necessary for the app to function.”

The Israeli-American security company also found that developers stored access keys and app data of Screen RecorderOpens a new window , a cloud-driven screenshot and screen recording app with 10 million downloads, on the same cloud service. Additionally, an app called iFaxOpens a new window (500,000+ downloads) is designed with not only embedded keys within the app but also all fax transmissions within it.

Any threat actor with the keys embedded within the apps could thus get their hands on the stored data that the user has trusted the app vendor to store, much like researchers at Check Point did.

Moreover, some apps even have embedded keys required to leverage the widely used push notifications in Android smartphones within the application itself. In theory, if an attacker manages to retrieve these embedded push notification keys, it could allow an attacker to take over the push notification manager and open the floodgates to malicious content, messages, emails, etc.

“Search engines, such as Google, do not index these APIs which gives a false sense of security when in fact these mobile endpoints can be just as vulnerable as any other website. This is considered ‘Security Through Obscurity’ in the cybersecurity industry,” explains Ray Kelly, principal security engineer at WhiteHat Security. 

He adds, “It’s akin to hiding your house key under your doormat and thinking your house is safe. Ensuring that a mobile application is secure requires that the application’s binary, network layer, back-end storage and APIs are all tested thoroughly for security vulnerabilities that can lead to issues such as data leakage.”

Check Point Research apprised respective app developers as well as Google of their findings. The company says only ‘a few’ of the 13 apps updated their cloud security configuration. For obvious reasons, Check Point held on to their findings until developers had adequate time to make necessary changes, but it seems those that haven’t aren’t in a hurry.

The complete list of vulnerable apps remains under wraps as of now.

See Also: Microsoft’s Cloud Misconfiguration Blunder May Have Cost Them 63 GB of Sensitive Data

How To Prevent Cloud Misconfigurations?

There’s no silver bullet, and it isn’t a one-off event. Security cloud environments is a continuously evolving process with multiple stakeholders, including the cloud vendor, cloud service provider, and others. The United States Department of Defense’s National Security Agency (NSA) outlined the basics of robust and secure cloud infrastructure. They areOpens a new window :

  • Use of Identity and Access Management solutions to limit the accessibility of back-end resources
  • Workload management with virtualization and containerization to isolate storage and applications
  • Network isolation via software-defined networking

Organizations may also look into adopting DevSecOps practices, Infrastructure as Code (IaC), Policy as Code, Drift as Code (DaC), Remediation as Code (RaC).

Closing Thoughts

The highly interactive, responsive, and easy-to-use nature of mobile apps means that they aren’t going anywhere. Moreover, CloudCheckr’s recent Cloud Infrastructure ReportOpens a new window assessed that two-thirds (64%) of companies expect to fully become cloud-native by migrating business operations to the public cloud within five years.

Tim McKinnonOpens a new window , CEO, CloudCheckr, saidOpens a new window , “Migrating to the cloud is only the first step. It’s up to organizations to adopt the right technology and form teams — be it internally or externally — to develop and manage cloud strategy, governance, and best practices.” This includes the security of the cloud environment.

This is exactly why vendor organizations (and independent developers) need to address misconfigurations head-on, although the priority definitely needs to be on minimizing such gaffes through continuous improvements to the cloud security posture.

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA