We use mobile apps every day, and when downloading them, we assume our data will be stored securely. Most users don’t even think twice about the possibility that the app they have just installed is a privacy leak waiting to happen.
How many apps on your device do you think can compromise your personal data and sensitive information? We hate to be the bearer of bad news, but the number is more than you think. Just because they haven’t made it to the headlines doesn’t make them safe.
Now, a bunch of apps has been caught leaking data from 100 million users. If you have any of the offending apps, deleted them immediately.
Here’s the backstory
It didn’t take long for Check Point Research to start seeing red flags. The company only had to examine 23 Android apps to start seeing a pattern of exposed personal details. Through various misconfigurations of third-party cloud services, as many as 100 million users could have had their data compromised.
“CPR saw numerous app developers misusing third party cloud-services, such as real-time databases, notification managers and cloud storage, resulting in data exposure of not only themselves, but that of users,” the company said in a press statement.
Exposed personal data ranged from emails, chat messages, location, passwords and photos. This would be a treasure trove of information if cybercriminals wanted to commit identity theft, fraud and other online scams.
Providing a few examples, CPR explained that the Astro Guru app, which has over 10 million downloads, could be used to extract:
- Dates of birth
- Email addresses
- Payment details
The taxi application T’Leva is another example of usable data extraction. If a hacker used the same techniques as CPR, the criminal could steal:
- Chat messages between drivers and passengers
- Users’ full names
- Phone numbers
“CPR successfully accessed sensitive data from real-time databases of 13 Android applications, ranging from 10,000 to 10 million downloads. If a malicious actor gains access to the sensitive data extracted by CPR, it would potentially lead to fraud, identity-theft, and service-swipe,” CPR explained.
The Logo Maker app has been found to expose:
- Email addresses
- User ID
Screen Recorder, which has over 10 million downloads, exposes recordings made by users. CPR managed to breach the cloud storage facility after it found the keys exposed. The iFax app, with 500,000 downloads, had the same vulnerability.
Storing cloud-service keys inside an app is a terrible idea, and some developers are aware of the bad practice. Through CPR’s research, it found several cases where developers tried to “cover-up the problem with a solution that did not fix the problem.”
What you can do about it
There’s very little that you can do about misconfigurations of third-party cloud services. It is up to the developers to keep themselves and their users’ data safe. Aviran Hazum, Manager of Mobile Research at CPR, says that “developers need to scan their applications for the vulnerabilities” before releasing them to the market.
The best course of action is to delete all the apps mentioned in the report if you have them installed. You can also check if your data has been exposed to the Dark Web using the popular haveibeenpwned.com website. Tap or click here to find out how to use the tool.
It is generally a good idea to read online reviews of an app before downloading. Also, do a quick Google search to see if it has been mentioned in any security briefings.