Application software leaking user data has long been a common topic, but every time it is mentioned, I still have to feel the dangers that are difficult to prevent, especially when the scope of influence is too large and you may be a “victim”.
On the 20th of May, 2021, the network security company Check Point Research (hereinafter referred to as CPR) released a report: Because developers did not properly configure third-party cloud services, some popular Android applications leaked the personal data of more than 100 million users.
The CPR team said that by testing 23 applications, they found that they can start with a variety of misconfigured cloud services to obtain user personal data and developers’ internal resources.
The real-time database allows application developers to store data in the cloud to ensure that the data is synchronized to each connected client in real-time. Generally, to protect data privacy, developers will involve a basic function-real-time database that can be configured only through authentication.
But this is the general situation, and many popular applications fail to do so.
After trying, CPR found that it can recover the private information of many users from the public database of the application, including email, password, chat history, device location, etc. Therefore, CPR speculates that once malicious attackers access these data, it is likely to be used for fraud and account theft.
CPR cited two applications: Divination, which has more than 10 million downloads, Astro Guru, a constellation application, and T’Leva, a ride-hailing software installed on more than 50,000 taxis.
From Astro Guru, CPR can obtain the user’s name, date of birth, gender, location, email, and payment details; from T’Leva, it can obtain the user’s full name, phone number, location (destination and departure), and Chat history between drivers.
Push notifications must be familiar to everyone. Developers interact with users by sending push notifications. This is also one of the most widely used services in the application. In general, push notification services to require at least one key to identify the developer.
However, this general situation is not implemented in some applications. CPR found that some developers simply embed the key in the application file itself, that is, the key has lost the meaning of identification.
Although the improper configuration of push notifications does not directly damage user information compared with the data leaked by the real-time database, if a malicious person pushes a malicious URL that appears to be an official website to the user by impersonating the identity of the developer, the user will suffer if he is fooled.
Cloud storage, a mode of online storage, that is, storing data in multiple virtual servers usually hosted by a third party. Currently, many applications adopt this method. Originally this was a convenient function, but some developers embed the cloud storage key directly into the code of the application.
Through a quick analysis of some application files, the CPR team discovered its cloud storage key. Take the screen recording application Screen Recorder and the fax application iFax as examples: the key can obtain the access rights of screen recording videos of all users of Screen Recorder; all documents sent by more than 500,000 users in iFax can also be accessed and downloaded.
App developers who knowingly committed the crime
Although these problems are not novel application vulnerabilities, in the final analysis, they are the omissions of application developers. In addition, after analyzing dozens of cases, CPR found that many of the developers were knowingly guilty, that is, knowing that it is not advisable to embed the cloud service key in the application code, but still did so.
In the report, CPR also shared 23 applications where user data is at risk due to improper cloud service configuration. More than half of them have downloaded more than 10 million. The problem is that real-time databases account for half of the country:
For security reasons, the CPR team did not disclose all the names of these 23 apps except for the 5 apps that were clearly pointed out in the analysis. Before the 5 apps were formally written in the report, CPR also communicated with their app manufacturers. Some of them have been updated and related issues have been fixed: “Some apps have changed their configuration.”
However, CPR also added that although the vulnerabilities have been synchronized with these applications, many applications have not been improved. In addition, these 23 apps are nothing more than invisible corners to Google Play, which has millions of apps. It can be seen that apps that leak user data due to improper cloud service configuration are more common than imagined.