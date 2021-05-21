



We use mobile apps every day and assume that your data is stored securely when you download them. Most users never think about the possibility that a freshly installed app is waiting for a privacy leak.

Do you think the number of apps on your device can endanger your personal and sensitive information? We hate being the bearer of bad news, but that’s more than you think. Just because they didn’t reach the heading doesn’t mean they can be safe.

Currently, we have found many apps that are leaking data from 100 million users. If you have any problematic apps, remove them immediately.

Here is the inside story

It didn’t take long for Check Point Research to start checking for warning signs. The company only had to look at 23 Android apps to see the patterns of publicly available personal information. Various misconfigurations of third-party cloud services could compromise data for as many as 100 million users.

CPR said at a press conference that many app developers abused third-party cloud services such as real-time databases, notification managers, and cloud storage, resulting in the disclosure of user data as well as themselves. I will.

The personal data published was diverse, including emails, chat messages, locations, passwords, and photos. This is a treasure trove of information if cybercriminals want to commit identity theft, fraud and other online scams.

Dangerous app

With a few examples, CPR explained that the following can be extracted using the Astro Guru app, which has over 10 million downloads:

Username Date of Birth Gender Location Email Address Payment Details

The taxi application TLeva is another example of available data extraction. If a hacker uses the same techniques as CPR, a criminal can steal:

Chat message between driver and passenger User’s full name Phone number Location

CPR successfully accessed sensitive data from a real-time database of 13 Android applications with downloads ranging from 10,000 to 10 million. CPR explained that malicious attackers gaining access to sensitive data extracted by CPR could lead to fraud, theft of personal information, and swipes of services.

The Logo Maker app has been found to publish:

Email Address PasswordsUsernamesUserID

Screen recorders with over 10 million downloads publish user-created recordings. CPR managed to compromise cloud storage capabilities after discovering that the key was exposed. The iFax app with 500,000 downloads had the same vulnerability.

Storing cloud service keys in your app is a terrible idea, and some developers are aware of bad habits. Through CPR research, we found some cases where developers tried to hide the problem with a solution that didn’t solve the problem.

What you can do about it

There is little you can do about misconfiguration of third-party cloud services. It is the developer’s responsibility to keep the data of himself and his users safe. Aviran Hazum, CPR’s mobile research manager, states that developers need to scan for vulnerabilities before they can bring their applications to market.

The best bet is to remove all the apps listed in the report if you have them installed. You can also use the popular haveibeenpwned.com website to see if your data is published on the dark web. Tap or click here to learn how to use the tool.

We recommend reading the online review of the app before downloading. Also, do a quick Google search to see if it’s mentioned in the security briefing.

