The discovery of 23 leaky Android applications by Check Point Research (CPR) – which may, collectively, have put the personal data of more than 100 million users at risk – has prompted fresh warnings, and reminders, over how critical it is for software developers to keep on top of potential security slip-ups.
Check Point said it found publicly available, sensitive data from real-time databases in 13 Android apps, with between 10,000 and 10 million downloads apiece, and push notification and cloud storage keys embedded in many of the apps themselves. The vulnerable apps included apps for astrology, taxis, logo-making, screen recording and faxing, and the exposed data included emails, chat messages, location metadata, passwords and photos.
In every case, the exposure came about because of a failure to follow best practices when configuring and integrating third-party cloud services into the applications. CPR approached Google and all of the app providers prior to disclosure, some of which have since locked down their exposed instances.
“Mobile devices can be attacked via different ways. This includes the potential for malicious apps, network-level attacks, and exploitation of vulnerabilities within devices and the mobile OS,” the CPR team said in a disclosure blog.
“As mobile devices become increasingly important, they have received additional attention from cyber criminals. As a result, cyber threats against these devices have become more diverse. An effective mobile threat defence solution needs to be able to detect and respond to a variety of different attacks while providing a positive user experience.”
Veridium chief operating officer Baber Amin said there was no way the average Android user would have the technical ability to evaluate every element of the apps they downloaded, and since the problem is one of misconfigured access rules at the back end, there was essentially nothing they could do. However, users are still the ones who will suffer from their data being exposed.
Check Point Research
“As the end result is information leakage, which also includes credentials, one thing users have control over is good password hygiene,” said Amin.
“Users can protect themselves to a certain degree by any of the following: not reusing passwords; not using passwords with obvious patterns; keeping an eye out for messages from other services they use on login attempts, password reset attempts or account recovery attempts; ask the application owner to support passwordless options, ask the application developer to support native on-device biometrics, look for alternate applications that have stated security and privacy practices, ask Google and Apple to do more due diligence on the back-end security of the applications they allow on their marketplace.”
Tom Lysemose Hansen, chief technology officer at Norway-based app security firm Promon, said Check Point’s findings were, on the whole, disappointing, as they highlighted “rookie errors” in the developer community.
“While it would be unfair to expect someone to never make a mistake, this is more than just a one-off. App data should always be protected. It’s as simple as that. Not obfuscated or hidden away, but protected,” he said.
“Accessing user messages is bad enough, but that’s not the worst of it. Should an attacker find a way to access API keys, for example, they can easily extract them and build fake apps that impersonate the real ones to make arbitrary API calls, or otherwise access an app’s back-end infrastructure to scrape information from servers.
“These types of attacks can result in serious data breaches and, aside from the associated fines, can have damaging effects on brand reputation,” added Hansen.
Trevor Morgan, product manager at comforte AG, said the increased attack surface allowed for by cloud environments made security harder for the companies that rely on them.
“With a hybrid and multicloud strategy, data becomes dispersed across multiple clouds as well as their own datacentres. Data security becomes even more difficult to manage as cloud infrastructure complexity grows,” he said.
“Combined with a modern DevOps culture, misconfigurations and general security requirements that are overlooked or flat-out ignored are becoming commonplace,” he said.
Trevor Morgan, comforte AG
Since potentially sensitive data is required for many apps to function properly – especially those that generate revenue – data protection must be an important part of the development process and the overall protection framework, said Morgan.
He advised developers to adopt data-centric security practices to protect data even if other security layers fail or are bypassed, and said those using technologies such as tokenisation and format-preserving encryption were in a far better position to ensure that an incident such as an incorrectly configured cloud service does not necessarily develop into a full-blown data breach.
But Chenxi Wang, general partner at security investment specialist Rain Capital and a former Forrester research vice-president, said the blame should not fall entirely to the app developers.
“Developers don’t always know the right things to do with regard to security. App platforms like Google Play and Apple Appstore must provide deeper testing, as well as incentivising the right behaviour from developers to build security in from the beginning,” said Wang.
“This discovery underscores the importance of security-focused app testing and verification,” she added.