23 Android apps on Google Play Store put privacy of 100 million users at risk, report

In a major discovery that sheds light on poor security practices of many Android developers, cybersecurity firm Check Point Research (CPR) found several apps on Google Play Store that were potentially exposing sensitive personal data of more 100 million users through various misconfigurations in the integration of third-party cloud services.

The exposed data included personal emails, private chats, photos, passwords and device location. According to security experts at CPR, this sort of data can lead to identity thefts and frauds if they fall into the hands of malicious actors.

CPR’s findings were based on the examination of 23 Android apps with total number of downloads for each app ranging from 10,000 to 10 million on the Play Store. Before making their findings public, CPR reached out to Google and the developers of all 23 apps. A few of the app developers had made the requisite configurations at the time of publication, said the cybersecurity firm.

One of the misconfigurations was found in real time databases, which is supposed to ensure that the data stored on cloud is synchronized in real-time with every user. It was found that the app developers did not configure their real-time databases with any form of authentication to restrict unauthorized access to the stored data.

This sort of misconfiguration in real-time databases is quite common and is the reason why millions of Android users and their personal data are at risk today, warned security experts at CPR.

Astro Guru, an astrology app which was taking users name, date of birth, gender, location, email and payment details to provide them horoscope predictions, had reportedly overlooked this configuration. The apps has over 10 million downloads.

Another app T’Leva, which offers taxi booking service and has over fifty thousand downloads on Play Store, was found to have stored personal data of users including their names, phone numbers, locations and chat messages on cloud without any authentication.

Further, CPR found that some of the Android apps they examined had embedded push notification keys and cloud storage keys in the app itself.

According to experts at CPR, when push notification keys are embedded in the application file, it becomes a lot easier for threat actors to assume control over the feature and send notifications with malicious links or payloads to millions of unsuspecting users in the name of the developer.

Most push notification services require a key to recognize the identity of the request submitter.

Similarly, a screen recorder app with over 10 million downloads was found to be storing users’ private passwords on the same cloud service on which they had stored the screen recordings of users. After analyzing the application file, CPR researchers recovered the mentioned keys required to access each stored recording.

According to security experts at CPR, developers know that storing cloud services keys in their app is a bad practice yet many in this case had done that. Some developers unsuccessfully tried to hide the keys using Base64 encoding.

Image credit: Flickr