Checkpoint researchers have discovered 23 Android apps from Google’s Playstore, exposing users’ sensitive data online. With some having millions of installs, these apps are leaking the data because of misconfigured cloud services, which store the real-time database which the developers use for transmitting and syncing data among the clients.
Popular Android Apps Leaking Data
While it’s common that some indie developers often run over important security rules while developing their apps, established developers doing the same should be ashamed. Researchers at Checkpoint have spotted 23 Android apps from Google’s Playstore exposing their users’ sensitive data.
Some of the apps like Astro Guru and Logo Maker are having over 10 million installs on the Playstore and leaking the users’ PII like their names, email addresses, dates of birth, chat messages, location, gender, passwords, photos, payment details, phone numbers, push notifications. Along with these, some exposures also leak the developer’s internal tools.
For example, an app named Screen Recorder has its cloud storage keys exposed, which can access the users’ screenshots from their device. This is adequately intriguing since the app has over 10 million installs in Playstore. Further, an app named iFix has the same problem and exposes users’ fax transmissions.
Though some developers obfuscated the secret key with base64 encoding, it’s still useless since the decoding isn’t protected. The researchers in this said, “Even if the application does not use clear-text keys, all that is needed is to find the piece of code that initializes the cloud-service interface, which mostly receives those keys as parameters and follows their value. Eventually, if the keys are embedded into the app, we will get their value.”
Over a dozen of these apps have 10 million+ installs, thus concerning. This incident describes how widespread the problem of developers following security practices is in the industry, despite seeing regular cyberattacks.