- 2025 Cyber Security Predictions: Navigating the Ever-Evolving Threat Landscape
- Not Just Another List of Top 10 Metrics You Should Measure
- My new favorite headphones for swimming come bundled in a unique charging accessory
- Why I recommend this Windows laptop to creatives and professionals - even if it's meant for gamers
- This HP laptop may be the closest thing to a MacBook Pro for Windows users - and I don't mind it
Cloud misconfiguration exposes 100M+ Android Users
Misconfiguration of back-end cloud services by more than 20 mobile app developers may have exposed the personal data of over 100 million Android users, according to researchers.
A team at Check Point investigated 23 Android applications in a new piece of research, and found users’ emails, chat messages, location, passwords and photos all exposed by poor security practices.
There were three main issues. First, misconfiguration of the real-time databases that developers use to store data in the cloud and synchronize it with every client instantaneously.
In 13 of the apps studied, no authentication was deployed, enabling would-be attackers to access highly sensitive user data such as email addresses, passwords and private chats.
The second security snafu regarded push notification manager services.
“Most push notification services require a key (sometimes, more than one) to recognize the identity of the request submitter,” Check Point explained. “When those keys are just embedded into the application file itself, it is very easy for hackers to take control and gain the ability to send notifications which might contain malicious links or content to all users on behalf of the developer.”
The third issue was with cloud storage: again the researchers were able to find cases where developers had stored keys in the app file itself, enabling attackers to access sensitive user information.
Check Point said some, but not all, of the developers it contacted prior to publication had changed their configurations to mitigate the highlighted issues.
“This is the perfect storm of three issues — cloud misconfigurations, cloud credential leaks, and overly permissive mobile apps collecting more personal information than needed. Mobile apps usually rely on public cloud-based backend services like databases, analytics, and storage which are prime candidates for misconfiguration,” argued Saumitra Das, CTO of Blue Hexagon.
“Additionally, they release their code openly on app stores making it easier for folks to reverse engineer the inner workings. It is a common mistake to leave cloud access keys in code repositories and apps. Simple encodings like base64 are not enough to obscure the access keys which can allow anyone to then get access to customer PII being collected by the app in the cloud.”
