Security News > 2021 > May > Android Apps Expose Sensitive Data Due to Misconfigured Third-Party Services
Researchers at cybersecurity firm Check Point discovered that many Android applications publicly expose sensitive user data through misconfigured third-party services.
The exposed data, which pertains to more than 100 million Android users, includes chat messages, emails, passwords, location information, user identifiers, photos, and more.
The exposed real-time databases, which are meant to store data in the cloud and keep it continuously synchronized with the client, were not protected by any authentication mechanism, a misconfiguration that allowed anyone to access the information, without authorization.
Malicious actors able to access the sensitive data exposed by this commonly encountered misconfiguration could attempt to compromise user accounts on various online services, or even abuse the information for identity theft, Check Point notes.
One of the misconfigured apps was Astro Guru, a popular astrology, horoscope, and palmistry app with more than 10 million downloads, which asks users for personal information such as names, dates of birth, gender, email, location, and payment details.
Some of the analyzed apps were found to contain embedded within them the keys for push notification services, making it easy for hackers to access them and send potentially malicious notifications to all of the apps' users.