*Cybersecurity experts disclose that the developers behind 23 mobile Android apps did not configure their real-time database properly, putting consumers鈥� data at risk

Isola Moses | 绿帽献妻

Researchers from cybersecurity security firm Check Point Research have discovered that a number of Android apps had 鈥渕isconfigurations鈥� on 鈥榗loud services鈥�, while leaving user data belonging to more than 100 million consumers vulnerable to a variety of malware attacks.

绿帽献妻 learnt Check Point, in a report published Thursday, May 20, 2021, said it recently found out that the developers behind nearly two dozen mobile apps didn鈥檛 configure their real-time database properly.

The firm stated that 鈥渞eal-time database allows application developers to store data on the cloud, making sure it is synched in real-time to every connected client.鈥�

According to the team, in the last few months, many application developers have 鈥減ut their data and users鈥� data at risk鈥� by failing to ensure that authentication mechanisms were in place.

The team further reported that 鈥渂y not following best practices when configuring and integrating 3rd party cloud services into applications, millions of users鈥� private data was exposed.

鈥淚n some cases, this type of misuse only affects the users, however, the developers were also left vulnerable.

鈥淭he misconfiguration put users鈥� personal data and developer鈥檚 internal resources, such as access to update mechanisms and storage at risk.鈥�

In connection with the 23 mobile apps examined,

The researchers said from the 23 Android apps they examined, Check Point noted that they included a taxi app with over 50,000 installs, a logo maker, a screen recorder with over 10 million downloads, a fax service, and astrology software, among others all contained a variety of security shortcomings.

Check Point said the apps were leaking data that included email records, chat messages, location information, user IDs, passwords, and images.

Thirteen of the apps left sensitive data publicly available in unsecured cloud setups.

In the case of the Angolan taxi app 鈥淭鈥橪eva,鈥� the researchers found that they were able to obtain user data, including messages exchanged with drivers, riders鈥� full names, phone numbers, and destination and pickup locations.

Describing the development as a 鈥榙isturbing reality鈥�, Aviran Hazum, Check Point’s Manager of Mobile Research, said the study “sheds light on a disturbing reality where application developers place not only their data, but their private users’ data at risk.”

Thus, when app developers fail to follow the 鈥渂est practices鈥� when configuring and integrating third party cloud services, the researchers said it could potentially leave users vulnerable to several types of cybersecurity threats.

Researchers said: “This misconfiguration of real-time databases is not new, but [..] the scope of the issue is still far too broad and affects millions of users.

“If a malicious actor gains access to this data it could potentially result in service-swipe (trying to use the same username-password combination on other services), fraud, and identity theft.”

The firm said it informed the app developers of the vulnerabilities, and a few have since changed their configuration.