Researchers: Android apps potentially expose data of millions of users

Researchers analyzing Android apps have discovered serious cloud misconfigurations leading to the potential exposure of data belonging to over 100 million users. No less than 23 popular mobile apps contained a variety of "misconfigurations of third-party cloud services", according to a cybersecurity researcher report cited by ZDNet. Daniil Chernov, Chief Technical Officer at DerSecur LTD., talks about this threat in more detail.

A mobile app (client) is installed on a device and requests a server where information is processed. Very few apps keep all functionality locally, without accessing an external server. Therefore, developers are constantly asking themselves what server to choose for data storage and processing: on-premise or cloud-based? The cloud model often wins for a number of advantages. For example, no server hardware procurement, maintenance or replacement costs mean that a developer will only pay for cloud resources provisioning. In this case, all app user activities are sent to a cloud server that processes such requests and returns results. Consequently, all user and app activity data are stored on the cloud. 

The above security problem took place because only a few developers check whether cloud storage is protected and, if so, how data is stored and accessed there. Like with cloud user experience, you can upload a document into cloud storage and grant access to everybody or only those knowing a specific URL. Consequently, if a developer leaves cloud storage keys in app code, data becomes exposed because of developer's error, rather than any problem inherent to the cloud storage. With the access key at hand and no other authentication mechanisms in the way, any outsider can thus access user data being processed in the cloud. 

Google Play app checks are highly automated and focused on detecting malware, while leaving security flaws in the code undetected. Therefore, an app in the official store can still represent a potentially dangerous user data exposure threat (personal data and any other types of information that the app server processes).