According to a report by Check Point Research, many popular Android apps put your personal data at risk due to poorly secured third-party services.
The report highlights several different security flaws affecting 23 different apps available on Google Play, each with anywhere from 50,000 to 10 million downloads. Most of the offending apps collect and store user information, developer data, and internal company resources using unsecured real-time databases and cloud storage services. The security researchers were able to find the unsecured cloud databases from 13 apps, meaning outsider actors can also access them.
Other apps have improperly configured push notification managers, which hackers could use to intercept and modify seemingly legitimate notifications from the developers, seeding them with malware, phishing links, or misleading content.
These vulnerabilities put at least 100 million Android users at risk of fraud, identity theft, and malware attacks.
Check Point Research says it found one or more of these flaws in 23 apps, 13 of which had openly accessible real-time databases. However, the report only calls out five of these apps by name:
G/O Media may get a commission
- Astro Guru: A horoscope app with over 10 million downloads. It stores each user’s full name, date of birth, gender, GPS location, email address, and payment information.
- iFax: A mobile faxing app that stores all documents sent by its 500,000-plus users in an accessible cloud database—with the cloud storage keys embedded in the app.
- Logo Maker: A graphic design app with over 170,000 users. Check Point found that all users’ full names, account IDs, emails, and passwords are accessible.
- Screen Recorder: This app has more than 10 million downloads. The report revealed it saves account passwords on the same cloud service that stores the recordings the app makes, leaving them vulnerable.
- T’Leva: A taxi-hailing app from Angola with more than 50,000 downloads, this one leaves text history between drivers and riders, location data, full names, and phone numbers accessible.
Check Point says it notified the app creators, but only Astro Guru responded, and all of the apps are still available on Google Play.
The first step is to stop using the of the apps called out in Check Point Research’s report—but since only five are named, that means there are at least 18 others out there storing your data without the proper safeguards.
And that’s just what we know of from Check Point’s report—there are likely far more apps, websites, and services with misconfigured databases that we’ll never know about until after a leak.
While Check Point Research’s report and others like it can alert developers to insecure data storage practices, it’s ultimately up to the developers to fix the issue. However, users can take preventative measure to keep their personal info and other important data safe, no matter what apps they’re using:
- Use two-factor authentication (2FA) whenever possible.
- Withhold personal information from your accounts (don’t add your home address if a service doesn’t need it, for instance), or use fake info whenever possible.
- Create unique passwords for every account and use an encrypted password manager.
- Do not link third-party accounts like Google, Facebook, and Twitter if you can avoid it.
- Keep app permissions to the bare minimum.
- Use services that notify you of breaches and compromised accounts.
These extra steps won’t stop a breach, but they can mitigate your risk of identity theft, fraud, and other scams. We also have guides for preventing and responding to data breaches, ransomware attacks, malware, and identity theft, and how to spot common phishing tactics and other online scams.