Checkpoint researchers have discovered 23 Android apps from Googleโ€™s Playstore, exposing usersโ€™ sensitive data online. With some having millions of installs, these apps are leaking the data because of misconfigured cloud services, which store the real-time database which the developers use for transmitting and syncing data among the clients.

Popular Android Apps Leaking Data

Popular Android Apps in Google Playstore Found Leaking User Data

While itโ€™s common that some indie developers often run over important security rules while developing their apps, established developers doing the same should be ashamed. Researchers at Checkpoint have spotted 23 Android apps from Googleโ€™s Playstore exposing their usersโ€™ sensitive data.

Some of the apps like Astro Guru and Logo Maker are having over 10 million installs on the Playstore and leaking the usersโ€™ PII like their names, email addresses, dates of birth, chat messages, location, gender, passwords, photos, payment details, phone numbers, push notifications. Along with these, some exposures also leak the developerโ€™s internal tools.

For example, an app named Screen Recorder has its cloud storage keys exposed, which can access the usersโ€™ screenshots from their device. This is adequately intriguing since the app has over 10 million installs in Playstore. Further, an app named iFix has the same problem and exposes usersโ€™ fax transmissions.

Though some developers obfuscated the secret key with base64 encoding, itโ€™s still useless since the decoding isnโ€™t protected. The researchers in this said, โ€œEven if the application does not use clear-text keys, all that is needed is to find the piece of code that initializes the cloud-service interface, which mostly receives those keys as parameters and follows their value. Eventually, if the keys are embedded into the app, we will get their value.โ€

Over a dozen of these apps have 10 million+ installs, thus concerning. This incident describes how widespread the problem of developers following security practices is in the industry, despite seeing regular cyberattacks.

LEAVE A REPLY

Please enter your comment!
Please enter your name here