Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Android Privacy Security

Just a Handful of Android Apps Exposed Data of More than 100 Million Users (therecord.media) 21

Almost half a decade after the first reports were published, mobile app developers are still exposing their users' personal information through abhorrently simple misconfigurations. From a report: In a report published last week, security firm Check Point said it found 23 Android applications that exposed the personal data of more than 100 million users through a variety of misconfigurations of third-party cloud services. This included developers who forgot to password-protect their backend databases and developers who left access tokens/keys inside their mobile application's source code for services such as cloud storage or push notifications. The Check Point team said it was able to use the information they found through a routine examination of 23 random applications and access the backend databases of 13 apps. In the exposed databases, researchers said they found information such as email addresses, passwords, private chats, location coordinates, user identifiers, screen recordings, social media credentials, and personal images.
This discussion has been archived. No new comments can be posted.

Just a Handful of Android Apps Exposed Data of More than 100 Million Users

Comments Filter:
  • by Snotnose ( 212196 ) on Monday May 24, 2021 @09:07AM (#61415936)
    I RTFA and Checkpoint only mentioned 5 of the apps, none of which I use. Be nice to know the other apps.
    • by bobstreo ( 1320787 ) on Monday May 24, 2021 @09:37AM (#61416024)

      I RTFA and Checkpoint only mentioned 5 of the apps, none of which I use. Be nice to know the other apps.

      For the all the ther /. readers who didn't bother reading the article:

      Unfortunately, Check Point only shared the names of five of the 23 apps that exposed information through their backends—Logo Maker, Astro Guru, T’Leva, Screen Recorder, and iFax.

  • While a good part of Apple acceptance or rejection of Apps into its App store, is based on Anti-Competitive actions, it also gives the user safer applications. Considering that iOS is about 13 years old now, widely popular and highly used, by people of all ages and IT skill levels. We haven't had any huge problem with Apple apps that exposed a large number of people, or had some massive hacks.

    Granted it is much like how a Gated Community can say how much lower its crime rate is. Not because of better poli

    • by ArmoredDragon ( 3450605 ) on Monday May 24, 2021 @09:44AM (#61416052)

      Something tells me this is an iOS problem as well, though iOS being notoriously difficult to audit makes it less likely that a third party would be able to spot something like this. Apple is already well known to let outright scammy apps through their censors, something tells me that a misconfigured cloud storage, especially one apple has zero control of, would fly right past their censors.

    • by pjt33 ( 739471 )

      We haven't had any huge problem with Apple apps that exposed a large number of people, or had some massive hacks.

      This particular story reports on security researchers who only looked at Android apps. But there have been plenty of stories in the past about security researchers who looked at iOS apps and found very similar problems. And see, for example, this from earlier this month [slashdot.org]:

      In 2015, unknown hackers snuck malware onto thousands of apps on the iPhone App Store. ... But now, thanks to emails published a

    • by theshowmecanuck ( 703852 ) on Monday May 24, 2021 @09:47AM (#61416062) Journal
      I worked at company that made mobile apps, and they made both iOS and Android apps. And both apps used the same back end services (where most of the issues are according to this article). So stop mumbling on Apple cock and be useful for a change. Bad coding practices don't know any one specific platform, they are universal. I've seen supposedly senior devs leave in default passwords on back end containers after bitching that they should be allowed to manage their own dev servers. And then they expose the servers to the world by fucking up white and black lists on the firewall rules and open up huge security holes. These idiots work in every technology stack, and its even more likely to happen the smaller the shop you go to. Especially one and two man operations (and women and question marks).
  • by theshowmecanuck ( 703852 ) on Monday May 24, 2021 @09:16AM (#61415966) Journal
    It sounds like they meant to say In the Handful of Android Apps That Were Checked, More Than 100 Million Users' Data Was Exposed
  • "Just a handful of Android apps exposed data."

    Sounds less alarmist, eh?

  • Just checked and there's over 3 million apps. Just guessing a couple million are wallpapers, but yes, it's beyond ridiculous. I think in this case less is better. Almost forgot, the whole idea of the smartphone is to keep tabs on it's owner. It's not a flaw it's a feature (for google).
    • The bigger problem is the search algos for both Google and Apple promote actively developed and downloaded apps. So, new shit gets put in your face, which is nice sometimes. As well as well-supported apps with lots of users driving active development, which is also usually good. And stuff people download a lot is maybe popular and good.

      But they also promote buggy software that needs updates over software that worked fine in 2011 and still works fine. It promotes pay-to-play downloads over software that's be

  • "This included developers who forgot to password-protect their backend databases"

    There are two mistakes here: in addition to not password protecting their databases, the databases should not be accessible from the Internet.

    • Meh. Private certs and strong passwords do good work.

      • Meh. Private certs and strong passwords do good work.

        Defense in depth.

        There is no reason to expose the database to the Internet. Any exposure is risk. What if a zero-day vulnerability is found in the database software?

        • Well, if the zero day requires a TLS handshake, you're covered already. In essence, there already is layered security. More layers are better until they're not.

          The DB software is likely more secure than your web app front-end that has access to the DB. It all depends on what you're trying to do.

          Everything has its place. It's true most people who put DBs on the Internet do it because it's easier, and those people aren't going to spend the time solving the certificate and creds distribution problem. But if th

  • The world doesn't need millions (literally) of applications more than it needs security.

    If AAPL were serious about security they'd block all software Apple or actual partners do not produce and make a proper walled garden that locks out outsiders, ALL of them.

    Android is hopeless from a security perspective because and should be left to those who resent security. Understanding what one cannot have is important to making informed choices.

    Clueful users would be best served by pure FOSS phones but there won't b

  • And that is no mistake. The whole idea was from the start that semi-competent and incompetent people would write tons of apps. Some would appear to be well-written and hence be actually used. The problem in the story is just a completely predictable side-effect.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...