Security News > 2021 > May > 23 Android Apps Expose Over 100,000,000 Users' Personal Data
Misconfigurations in multiple Android apps leaked sensitive data of more than 100 million users, potentially making them a lucrative target for malicious actors.
"In some cases, this type of misuse only affects the users the developers were also left vulnerable. The misconfigurations put users' personal data and developer's internal resources, such as access to update mechanisms, storage, and more at risk."
The findings come from an examination of 23 Android apps available in the official Google Play Store, some of which have downloads ranging from 10,000 to 10 million, such as Astro Guru, iFax, Logo Maker, Screen Recorder, and T'Leva.
By not securing the database behind authentication barriers, the researchers said they were able to obtain data belonging to users of Angolan taxi app T'Leva, including messages exchanged between drivers and passengers as well as riders' full names, phone numbers, and destination and pick-up locations.
This could not only make it easier for bad actors to send a rogue notification to all users on behalf of the developer, but could also be weaponized to direct unsuspecting users to a phishing page, thus becoming an entry point for more sophisticated threats.
Check Point notes that only a few of the apps changed their configuration in response to responsible disclosure, implying users of other apps continue to remain susceptible to possible threats like fraud and identity theft, not to mention leverage the stolen passwords to gain access to other accounts fraudulently.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/6CFMP63bgDI/these-23-android-apps-expose-over.html