Aviad Danin, R&D Team Leader, Check Point Software Technologies
Aviran Hazum, Analysis and Response Team Leader, Check Point Software Technologies
Bogdan Melnykov, Reverse Engineer, Check Point Software Technologies
Dana Tsymberg, Cybersecurity Analyst, Check Point Software Technologies
Israel Wernik, Cybersecurity Researcher, Check Point Software Technologies
After examining 23 Android applications, Check Point Research (CPR) noticed mobile app developers potentially exposed the personal data of over 100 million users through a variety of misconfigurations of third party cloud services. Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes.
- CPR discovered publically available sensitive data from real-time databases in 13 Android applications, with the number of downloads that each app has ranging from 10,000 to 10 million
- CPR found push notification and cloud storage keys embedded in a number of Android applications themselves
- CPR provides examples of vulnerable applications: an astrology, taxi, logo-maker, screen recording and a fax app that left users and developers vulnerable to malicious actors
Modern cloud-based solutions have become the new standard in the mobile application development world. Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content.
CPR recently discovered that in the last few months, many application developers have left their data and millions of users’ private information exposed by not following best practices when configuring and integrating third party cloud-services into their applications. The misconfiguration put users’ personal data and developers’ internal resources, such as access to update mechanisms, storage and more, at risk.
Misconfiguring Real-Time Databases
Real-time databases allow application developers to store data on the cloud, making sure it is synchronized in real-time to every connected client. This service solves one of the most encountered problems in application development, while making sure that the database is supported for all client platforms. However, what happens if the developers behind the application do not configure their real-time database with a simple and basic feature like authentication?
This misconfiguration of real-time databases is not new, and continues to be widely common, affecting millions of users. All CPR researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorized access from happening.
While investigating the content on the publically available database, we were able to recover a lot of sensitive information including email addresses, passwords, private chats, device location, user identifiers, and more. If a malicious actor gains access to this data, it could potentially lead to service-swipes (ie. trying to use the same username-password combination on other services), fraud, and/ or identity-theft.
CPR researchers found that Astro Guru, a popular astrology, horoscope and palmistry app with over 10 million downloads, has this misconfiguration. After users input their personal information such as their name, date of birth, gender, location, email and payment details, Astro Guru provides them a personal astrology and horoscope prediction report. Imagine exposing sensitive data for a horoscope prediction!
Storing personal information is one thing, but what about storing real-time data? This is what a real-time database is for. Through T’Leva, a taxi app with over fifty thousand downloads, CPR researchers were able to access chat messages between drivers and passengers and retrieve users full names, phone numbers, and locations (destination and pick-up) – all by sending one request to the database.
A push notification manager is one of the most widely used services in the mobile application industry. Push notifications are often used to flag new available content, display chat messages, emails, and much more. Most push notification services require a key (sometimes, more than one) to recognize the identity of the request submitter. When those keys are just embedded into the application file itself, it is very easy for hackers to take control and gain the ability to send notifications which might contain malicious links or content to all users on behalf of the developer.
Imagine if a news-outlet application pushed a fake-news entry notification to its users directing them to a phishing page. Since the notification originated from the official app, the users would assume the notification was legitimate and sent by the news outlet and not hackers.
Cloud storage on mobile applications is a practice that has skyrocketed in the last few years. It allows access to files shared by either the developer or the installed application. Here are two examples of apps that CPR researchers found on Google Play:
- With over 10 million downloads, the “Screen Recorder” app is used to record the user´s device screen and store the recordings on a cloud service. While accessing screen recordings through the cloud is a convenient feature, there can be serious implications if developers safeguard users’ private passwords on the same cloud service that stores the recordings. With a quick analysis of the application file, CPR researchers were able to recover the mentioned keys that grant access to each stored recording.
- The second app, “iFax”, not only had the cloud storage keys embedded into the app, but also stored all fax transmissions there.. With just analyzing the app, a malicious actor could gain access to any and all documents sent by the 500,000 users who downloaded this application.
It is important to note is that CPR approached Google and each of these apps´ developers prior to the publication of this blog to share our findings. A few of the apps have changed their configuration.
How to protect yourself
Mobile devices can be attacked via different ways. This includes the potential for malicious apps, network-level attacks, and exploitation of vulnerabilities within devices and the mobile OS. As mobile devices become increasingly important, they have received additional attention from cybercriminals. As a result, cyber threats against these devices have become more diverse. An effective mobile threat defense solution needs to be able to detect and respond to a variety of different attacks while providing a positive user experience.
Check Point Harmony Mobile is the market-leading Mobile Threat Defense (MTD) and Mobile App Reputation Service (MARS) solution, providing the widest range of capabilities to help you secure your mobile and the data on it.
For more information about this research please visit https://research.checkpoint.com/