News of the widespread data leak comes from a study of just 23 apps by cyber threat intelligence vendor Check Point Research (CPR).
Its research turned up all kinds of personal data including emails, chat messages, location, passwords and photos, which CPR argues could lead to identity-theft and fraud.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
The cybersecurity company says cloud services such as cloud storage, cloud databases, cloud analytics, and such have become an inherent part of a mobile application developers’ workflow, yet many refuse to follow security best practices when configuring them.
“Modern cloud-based solutions have become the new standard in the mobile application development world….Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content,” says CPR.
CPR researchers note that it didn’t take them much effort to access sensitive data from real-time databases in thirteen Android apps, many of which have clocked millions of downloads.
More troubling is the fact that CPR found keys for push notifications and cloud storage embedded inside a number of Android apps themselves. If malicious attackers get hold of the push notification keys of an app, they can send malevolent content via notifications to users of the app.
Similarly, they were able to retrieve the cloud storage keys for some popular apps, which allowed them to view details that the users of the apps have entrusted to the app.
CPR has identified several apps, along with their security shortcomings, in their analysis, though they add that they approached both Google and the developers of the apps before sharing their findings.
“A few of the apps have changed their configuration,” shares CPR suggesting that many apps failed to mend their ways despite being warned.