Mobile app developers potentially expose personal data of 100 million Android users

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

After examining 23 Android applications, Check Point Research noticed mobile app developers potentially exposed the personal data of over 100 million users through a variety of misconfigurations of third party cloud services. 

Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes.

CPR discovered publicly available sensitive data from real-time databases in 13 Android applications, with the number of downloads that each app has ranging from 10,000 to 10 million.

It found push notification and cloud storage keys embedded in a number of Android applications themselves. 

Modern cloud-based solutions have become the new standard in the mobile application development world. Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, CPR says developers often overlook the security aspect of these services, their configuration, and their content.

CPR recently discovered that in the last few months, many application developers have left their data and millions of users’ private information exposed by not following best practices when configuring and integrating third party cloud-services into their applications. The misconfiguration put users’ personal data and developers’ internal resources, such as access to update mechanisms, storage and more, at risk, it says.

Misconfiguring Real-Time Databases

Real-time databases allow application developers to store data on the cloud, making sure it is synchronised in real-time to every connected client. This service solves one of the most encountered problems in application development, while making sure that the database is supported for all client platforms. 

However, what happens if the developers behind the application do not configure their real-time database with a simple and basic feature like authentication?

“This misconfiguration of real-time databases is not new, and continues to be widely common, affecting millions of users,” CPR says. 

“All CPR researchers had to do was attempt to access…