Very popular applications, having sometimes been downloaded more than 10 million times, suffer from serious security holes. Their developers did not protect access to users’ personal data on third-party cloud services.
E-mails, geolocation data, passwords, photos, message exchanges, personal data … These are the personal information of 100 million users ofpopular for Android, which are not protected from possible capture by hackers. Detected by the security company’s research laboratory , this huge flaw concerns applications, some of which reach up to 10 million downloads.
In all, this would be 23 applications forwho would be affected by these of security. You can find everything, like Astro Guru, an astrology, horoscope and palmistry application, downloaded over 10 million times. After users enter their personal information such as name, date of birth, gender, home, email address, and payment details, Astro Guru provides them with a personal astrology report and horoscope. . Unfortunately, this is all personal data that is not protected.
Another download champion, Screen Recorder allows the user to record the screen of the user’s device and store the recordings on a cloud service. If access to screen recordings via Cloud is a handy feature, users’ private passwords are on the same cloud service that stores recordings. Annoying … This is also the case with T’Leva, a taxi booking application that has been downloaded over 50,000 times. Check Point researchers were able to access conversations between drivers and passengers and retrieve users’ full names, phone numbers, and locations – destination and pickup.
Third-party cloud service security forgotten by developers
It all comes from a blatant lack ofthird-party cloud storage services, including real-time database processing. The same is true for services for managing the sending of notifications, for example. These are building blocks that can be easily integrated into applications by developers. But now, they completely neglect the security aspect of these third-party services and do not configure the data protection systems during their integration.
It is not only the personal data of users that is then at risk. Some features used by publishers are just as useful. A malicious person may very well gain access to the notification updates mechanism, for example. It can be a disaster if the notification prompts you to activate an update that actually has an update.. To invite them to correct the situation, Check Point contacted all the editors of the applications. At present, some, but not all, have taken care to strengthen their . Similarly, Google has been informed and has encouraged them to provide more in-depth tests for the reception of these applications on the Play .
What you must remember
- Data of 100 million Android app users is unprotected
- Developers forgot to secure databases managed on cloud services
- Application notification management services may also be impacted