Researchers on Thursday reported that in analyzing Android apps on open databases they discovered serious cloud misconfigurations that led to the potential exposure of data belonging to more than 100 million users.
In a blog post, CheckPoint Research explained how the misuse of a real-time database, notification managers, and storage exposed the personal data of users, leaving corporate resources vulnerable to bad threat actors.
“By not following best practices when configuring and integrating third-party cloud services into applications, millions of users’ private data was exposed,” the researchers said. “In some cases, this type of misuse only affects the users, however, the developers were also left vulnerable. The misconfiguration put users’ personal data and developer’s internal resources, such as access to update mechanisms and storage at risk.”
While investigating content on the Google Play open real-time database, the researchers recovered a great deal of sensitive information, including email addresses, passwords, private chats, device location, and user identifiers. The researchers said if a malicious actor gained access this data it could result in fraud and identity theft. Astro Guru, a popular astrology app with more than 10 million downloads had the same issue.
For some of the Android apps that CheckPoint examined, developers were embedding connection keys for back-end cloud storage directly into the mobile application code, said Michael Isbitski, technical evangelist at Salt Security. He said it’s a bad practice to hardcode and store static access keys into an app, which the app in turn uses to connect to an organization’s own backend APIs and third-party cloud APIs.
“Compiled code within mobile app binaries are much more readable than many developers realize,” Isbitski said. “Decompilers and disassemblers are plentiful, and such connection keys are easily harvested by attackers. Attackers then bypass the app entirely and connect directly to back-end APIs to abuse the business logic of the app or scrape data.”
Stephen Banda, senior manager, security solutions at Lookout, said to deploy code quickly, organizations rely on automated software delivery processes to upgrade functionality and apply security patches to keep cloud applications up-to-date. He said moving at this speed, even with sound change management and security best practices in place means every organization runs the risk of introducing misconfigurations into their cloud applications.
“Human factors, such as human error, cloud knowledge gaps, and lack of security awareness best practices, continue to be the dominating factor in introducing misconfigurations,” Banda said. “These misconfigurations present vulnerabilities that cyber attackers can exploit, ultimately putting customer data at risk.”
Salt Security’s Isbitski added that developers who use cloud storage must leverage the cloud provider’s access control and encryption mechanisms to keep the data protected. He said mobile app developers should make use of the Android Keystore and Keychain mechanisms that are backed by the hardware security module of the mobile device. Developers should also make use of the Android encryption mechanisms when storing other sensitive data client-side.