mobile app security risks growing

By Jeff Domansky, May 25, 2021

Last week, Check Point Research (CPR) released a study showing misconfiguration of third-party services by mobile app developers exposed emails, passwords, names, and other personal data for more than 100 million users.

CPR outlines how lax security and the misuse of real-time databases, notification managers, and cloud storage resulted in the exposure and left corporate resources vulnerable to malicious actors.

Poor cloud security & lack of best practices prevail

Based on the analysis of just 23 top Android applications, CPR researchers found the exposure could impact tens of millions of users and developers and private companies selling and using applications.

mobile apps risk personal data

Real-time databases allow application developers to store data on the cloud, ensuring it is synched in real-time to every connected client, enabling database support for all client platforms. CPR found numerous developers did not configure their real-time database with one of the most basic features – authentication.

“This misconfiguration of real-time databases is not new, but to our surprise, the scope of the issue is still far too broad and affects millions of users. All our researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorized access from being processed,” the report said.

Industry leaders were quick to point out the poor practices and their impact.

“This discovery underscores the importance of security-focused app testing and verification. Developers don’t always know the right things to do regarding security. The app platforms like Google Play and Apple Appstore must provide deeper testing as well as incentivizing the right behavior from developers to build security in from the beginning,” said Dr. Chenxi Wang, General Partner, Rain Capital, and a former Forrester VP of Research and Carnegie Mellon professor.

Many apps affected by poor security practices

Apps with real-time database risks included popular tools such as the free Logo Maker design tool (10 million+ downloads on Google Play), Astro Guru, a popular horoscope and astrology app (10 million+ downloads), and the T’Leva travel app (50,000+ downloads).

apps with real-time database risks

“CPR researchers were able to access chat messages between drivers and passengers and retrieve users’ full names, phone numbers, and locations (destination and pick-up) – all by sending one request to the database,” the report said.

Real-time databases aren’t the only risk. Push notifications put app users at risk of receiving false notifications, phishing, and other embedded file threats.

Cloud storage risks rising

Who doesn’t have data stored on the cloud? It’s a developer’s dream and implemented correctly, it’s also a security asset. The trouble is, it’s not implemented or appropriately secured every time.

Screen Recorder app

Take the hugely popular Screen Recorder app with more than 10 million downloads. The app records a smartphone screen and stores the recordings on a cloud service. Convenient, but the developers embedded the secret access keys, and CPR security quickly requested and recovered the private access keys for each screen recording.

“The second app, “iFax,” not only had the cloud storage keys embedded into the app but also stored all fax transmissions. After analyzing the app, we found a malicious actor could gain access to all documents sent by more than 500K users who downloaded this application,” the CPR report noted. “For ethical reasons, CPR did not access the storage account with the keys. We pulled evidence through the actual code of the apps to showcase that this type of sensitive information is accessible.”

CPR said most developers know that storing cloud service keys in their application is bad practice. “After analyzing cases, we found a few examples of keeping this issue “out of sight, out of mind” – i.e., developers tried to “cover-up” the problem with a solution that did not fix the problem.”

What to do after your data is compromised

Baber Amin, COO at Veridium, said, “Most users are not going to have the technical ability to evaluate the app, and since the problem is misconfigured access rules on the backend, there is very little end-users can do. The result is information leakage, which also includes credentials. One thing that end users have control of is good password hygiene.”

password hygiene

Amin said these positive password hygiene practices include:

  • not reusing passwords
  • no passwords with obvious patterns
  • looking at other applications with stated security and privacy practices.

Business users of applications that are not following good cybersecurity practices are particularly at risk in more than one way, according to Amin:

  • sensitive business information that can be exposed, exploited
  • exposure of credentials could allow for lateral movement and/or cascading exposure of other connected services
  • impersonation attack could further expose business users and their organizations

“For developers that are lacking cybersecurity skills, a possible danger is that someone could start impersonating their front end and access the backend stores or application logic as a legitimate service,” Amin added.

Developers have a responsibility too

Ideally, developers of these applications should bear the broadest responsibility, followed by the app stores, Amin said. “Unfortunately, all application developers are not equal in their cybersecurity knowledge or their ability to execute pen test and security audits. Thus, the app stores should step up their due diligence and perform more security audits, and provide tools for developers to perform self-audits. Another option is to create an independent certification body and also rely on existing certification bodies that provide marks for proper cybersecurity behavior. This is akin to buying a UL-listed product from your local supplier and knowing that it has passed certain tests. These checks and balances exist for physical goods already. We need to start treating digital goods and services with the same level of caution. Just like a Walmart or a Target won’t put something unsafe on their shelf, the app stores should do the same.

Another top security consultant agrees an exposure like this is out of the hands of most end users. “There is not much end users can do to prevent the exposure, but end users can take proactive steps to protect themselves when their data does get exposed,” said Irene Mo, Senior Consulting Associate at Aleada.

secure passwords

“My two top-tips for end-users are first, set up multi-factor authentication for every account that offers it, and second, lie on account security questions. With multi-factor authentication set up, even if your passwords are stolen, criminals need another form of authentication to access your account,” she emphasized.

Another multi-factor authentication method is security questions. “The answers to common security questions, like a user’s childhood street name or their favorite color, can be found publicly online. If a user lies on their security questions, only the user knows how they lied. And to keep track of their lies (a bonus tip), use a password manager,” Mo added.

App users could start by posting security concerns and questions on Google Play for those apps identified in the CPR study. That should provide strong motivation for improvements, using best practices, and improving security for fans of these popular apps.

The challenges of mobile apps, whether for entertainment, payments, or online shopping, will continue to grow. The onus is on developers and vendors to use best practices and for consumers to be more proactive in protecting their personal data.

You can read more details about the real risks of mobile app misconfiguration sent for practices in the Check Point Research report here.

Recent PaymentsNEXT fraud and security coverage:

Global payment fraud jumped 69% in the past year
Pandemic fraud & cybercrime hitting banks hard
Critical pandemic lessons in mobile payment fraud prevention