Information security specialists have published a report on the analysis of applications for the Android OS. Analysis of 23 applications showed that the erroneous configuration of the cloud services associated with them allows hundreds of millions of people to gain access to all kinds of personal information.
The Check Point Research (CPR) team found that 23 applications are prone to all sorts of configuration errors that give access to emails, chat messages, geolocation data, passwords and user photos. Even the developers’ own information resources were under threat.
In 13 of these applications, experts found confidential data from up-to-date databases, the storage for which was provided to developers by various cloud services synchronized with client applications. Access to some databases was not even properly secured, so researchers were able to obtain chat data and passwords by simply sending software queries to the databases.
For example, an unnamed “popular taxi app” with a similar configuration failure has been downloaded by users over 50 times. Experts were able to read chats between passengers and drivers, learned full usernames, phone numbers and addresses of departure and destination.
The team also discovered that some programs have integrated all sorts of keys that allow not only getting into the cloud, but also giving attackers the ability to send fake push notifications.
As for cloud storage, an analysis of the Screen Recorder program (more than 10 million downloads) revealed keys that give access to all records, and the iFax application contained authorization data and actually saved fax messages.
According to the researchers, the company reported the findings to Google and to all developers of “defective” applications, some of which have already released patch updates.
If you notice an error, select it with the mouse and press CTRL + ENTER.