Security vulnerabilities happen. It’s just part of programing any app. However, when the flaws result from bad coding practices, the problem can be particularly infuriating. Hard-coding authentication keys into the app or failing to set up authentication on an online database is unacceptable from a developer, and yet, it is a fairly common occurrence.
On Thursday, cybersecurity firm Check Point Research released a report detailing 23 Android with poor cloud configurations and implementations that potentially left millions of users’ data at risk. Information that might have leaked included email records, chat messages, location information, images, user IDs, and passwords.
More than half the apps have over 10 million downloads each, so the scope of affected users is massive. Check Point estimates that these applications may have exposed more than 100 million users’ data.
Most of the apps had real-time databases that developers left wide-open to the public. This problem is common, and one that CPR says is “far too broad.” Its researchers found that they had free access to information in the databases of over half the apps they surveyed.
“Many developers know that storing cloud services keys in their application is bad-practice.”
They also discovered that not quite half the apps had their cloud storage keys embedded in the code of their apps. For example, CPR retrieved keys from within a fax application called “iFax” that would have granted them access to every fax transmission sent by the app’s more than half a million users. The researchers did not access these records for ethical reasons but verified through code analysis that they could have.
A less common problem that they discovered, but still worthy of note, was hard-coded push notification keys. Embedded notification keys are not quite as severe as having cloud storage keys coded into the program, but CPR explains that it is just as bad a practice.
“While the data of the push notification service is not always sensitive, the ability to send notifications on behalf of the developer is more than enough to lure malicious actors. Imagine if a news-outlet application pushed a fake news entry notification to its users that directed them to a phishing page requesting that they renew their subscription. Since the notification originated from the official app, the users will not suspect a thing, as they are sure that this notification was sent by the developers.”
Check Point said that it notified the app makers before disclosing these vulnerabilities, and several followed up with updates to fix the issues. However, the 23 apps surveyed are only a minuscule sample of the 2.87 million apps on Google Play. There are likely to be many more out there using these same bad practices.