Trust is the backbone of any business. What happens when this trust is breached? Loss of business and reputation. That’s exactly what the latest findings found out. Check Point Software Technologies has exposed a potent security threat to Android users in the latest finding. The security check found 23 Android applications jeopardized the personal data of over 100 million users. These threats arose due to misconfigured cloud services, mostly provided by third-party Cloud service providers to mobile application companies.
According to Check Point Research (CPR), mobile applications with a sizeable user base still use third-party cloud services. Misconfigured cloud services leaked personal data included emails, chat messages, location, passwords and photos. All these become an attack point for CTAs for online fraud, identity theft and service swipes.
What is a Misconfigured Cloud Framework?
Remote workplace demands have opened up new avenues for Cloud-based services and solutions providers. Mobile apps are making things easy for organizations in their digital transformation journeys, and it is heavily dependent on the way these organizations (that develop mobile applications) adapt to modern Cloud-based solutions. It’s all going well with the mobile app developers as long as they are able to see the benefits of using modern Cloud-based solutions. Some of these benefits include:
- Cloud-based storage,
- Real-time databases,
- Notification management,
- Analytics, and more.
On top of it, we are seeing rapid adoption of No-low and Low-code development platforms. That makes it even more easier for customers to just click and integrate into applications. But, the pain starts soon when you get to know that your whole strategy is built on misconfigured Cloud.
Misconfigured Cloud Databases refer to any real-time database that hasn’t been configured or synchronized with authentication functions. This misconfiguration of real-time databases affects millions of users. When Check Point Research analysts tried accessing these 23 applications, they had rather quick access to the user database.
Read Also: Security Culture Is Everyone’s Responsibility in 2021
Further probe revealed grievous loopholes in the system — all this arising through misconfigured cloud solutions. Researchers at CPR revealed they could access user data publically available from the database. These were:
- Email Addresses
- Passwords
- Private Chats
- Device location
- User Identifiers
All these made every mobile installing a compromised application vulnerable to all kinds of cyber threats.
Now, here’s what industry leaders are stating about the misconfigured Cloud solutions attracting CTAs.
Industry Insights
After the revelation was made, we spoke to Paul Bischoff, privacy advocate at Comparitech and Chris Hauk, consumer privacy champion at Pixel Privacy.
Paul Bischoff said, “Our own research on Android apps using Firebase databases aligns with Check Point’s findings. We found that 4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users’ personal information, access tokens, and other data without a password or any other authentication. Firebase is used by an estimated 30 percent of all apps on the Google Play Store, making it the most popular storage solution for Android apps.”
Paul added, “In separate studies, we also found that the average Android user has at least one app that requests excessive permissions, and many Android app use flawed credential storage that opens them up to attack.”
Read More: The Evolution of Integration: How iPaaS Will Drive Business Forward
Chris Hauk said, “What is shocking about this issue is that developers, as well as database administrators, don’t take the basic security steps required to protect their users’ data and personal information. Perhaps we’ve gotten to the point where App Stores like Google Play and Apple’s App Store make it a requirement for developers to properly protect their users’ data before having the app approved for distribution in the stores. While this is harder to enforce on a platform like Android where users can easily sideload apps onto their device, it would at least be a step in the right direction when it comes to protecting users.”
Chris added, “Perhaps it would also be advisable for developers to purchase a book or visit a website or five that will teach them how to properly secure an app user’s data. In today’s world, where there seems to be a data breach on a daily basis, developers cannot claim ignorance when it comes to protecting their users’ data.”
Source: Check Point
