Checkpoint researchers have discovered 23 Android apps from Googleโs Playstore, exposing usersโ sensitive data online. With some having millions of installs, these apps are leaking the data because of misconfigured cloud services, which store the real-time database which the developers use for transmitting and syncing data among the clients.
Popular Android Apps Leaking Data
While itโs common that some indie developers often run over important security rules while developing their apps, established developers doing the same should be ashamed. Researchers at Checkpoint have spotted 23 Android apps from Googleโs Playstore exposing their usersโ sensitive data.
Some of the apps like Astro Guru and Logo Maker are having over 10 million installs on the Playstore and leaking the usersโ PII like their names, email addresses, dates of birth, chat messages, location, gender, passwords, photos, payment details, phone numbers, push notifications. Along with these, some exposures also leak the developerโs internal tools.
For example, an app named Screen Recorder has its cloud storage keys exposed, which can access the usersโ screenshots from their device. This is adequately intriguing since the app has over 10 million installs in Playstore. Further, an app named iFix has the same problem and exposes usersโ fax transmissions.
Though some developers obfuscated the secret key with base64 encoding, itโs still useless since the decoding isnโt protected. The researchers in this said, โEven if the application does not use clear-text keys, all that is needed is to find the piece of code that initializes the cloud-service interface, which mostly receives those keys as parameters and follows their value. Eventually, if the keys are embedded into the app, we will get their value.โ
Over a dozen of these apps have 10 million+ installs, thus concerning. This incident describes how widespread the problem of developers following security practices is in the industry, despite seeing regular cyberattacks.