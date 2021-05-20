Malicious apps aren’t the only threat putting Android phone owners at risk, since legitimate app developers can also make configuration errors and expose private data. This is precisely what has happened recently and that affects no more and no less than 100 million users.

A report from the security company Check Point Research claims that at least 23 popular Android applications contained a series of “misconfigurations in third-party cloud services.” In some cases, they indicate, In addition to leaving data such as messages, passwords, photos and videos easily accessible, the developers themselves were left off guard against possible attacks.

To understand the scope of this security problem, it is necessary to remember that third-party cloud services are widely used by different Android apps to store and sync data between different devices. While useful for developers, misconfigurations can leave user data within the reach of cybercriminals.

The mistake of some Android app developers

Check Point Research

Check Point Research has found that developers of 23 Android apps did not use secure authentication mechanisms. Among them are the taxi application T’Leva, which has more than 50,000 downloads; the astrology Astro Guru, with more than 10 million downloads; iFax, Logo Maker, Screen Recorder, among others not specified in the report.

The research team found that in some cases, user credentials were publicly available on the network. In others, the android app chat history, with telephone numbers and location of users.

In the case of the screen recording and fax application, for example, user images and videos were not properly protected, so Check Point Research was able to freely access that content. They also found errors in the push service implementation. Thus, an attacker could have sent notifications on behalf of the application.

The company informed the developers of the security problems detected in its Android apps. Currently some have fixed the bugs. However, they insist that “if a malicious actor gains access to this data, it could potentially result in unauthorized access to accounts, fraud and identity theft.”

