Expert Commentary: Android Apps Exposed Data Of Millions Of Users Through Cloud Authentication Failures

BACKGROUND:

Researchers analyzing Android apps have discovered serious cloud misconfigurations leading to the potential exposure of data belonging to over 100 million users. In a report published on Thursday by Check Point Research, the cybersecurity firm said no less than 23 popular mobile apps contained a variety of “misconfigurations of third party cloud services.” According to CPR, the 23 Android apps examined — including a taxi app, logo maker, screen recorder, fax service, and astrology software — leaked data including email records, chat messages, location information, user IDs, passwords, and images. In 13 cases, sensitive data was publicly available in unsecured cloud setups. These apps accounted for between 10,000 and 10 million downloads each.

Subscribe
Notify of
guest

6 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Trevor Morgan
Trevor Morgan , Product Manager
InfoSec Expert
May 21, 2021 12:50 pm

<p>Unfortunately, we come across another misconfigured cloud service leading to the exposure of millions of records. Data breaches from cloud computing often happen because sensitive data is stored and processed in clear text form. While cloud service providers offer data security capabilities, those capabilities are usually rather basic, and the particular business is still the responsible caretaker, especially in the eyes of regulators. The increased attack surface of cloud environments makes for a potentially weak overall security posture. In addition, with a hybrid and multi cloud strategy, data becomes dispersed across multiple clouds as well as their own datacenters. Data security becomes even more difficult to manage as cloud infrastructure complexity grows.</p> <p> </p> <p>Combined with a modern DevOps culture, misconfigurations and general security requirements that are overlooked or flat-out ignored are becoming commonplace.  Sensitive data is required for many business use cases – especially those that generate revenue or provide valuable analytics for key industries such as financial services, insurance, and healthcare. Data protection, of course, is a crucial part of the cybersecurity protection framework. Data protection that focuses on the data itself (data-centric security) allows sensitive data to remain protected, even when other security layers in an organization’s cybersecurity framework fail, or are bypassed. In addition it enables processing and analytics on protected data, drastically reducing exposure of sensitive data. Companies today that are using technologies such as tokenization and format-preserving encryption are in a better position to ensure that an incident doesn’t have to become a data breach.</p>

Last edited 1 year ago by Trevor Morgan
Irfahn Khimji
Irfahn Khimji , Tripwire Inc
InfoSec Expert
May 21, 2021 12:48 pm

<p>Unfortunately, misconfigurations like these have become all too common. Exposing sensitive data does not require a sophisticated vulnerability, rather, a simple misconfiguration can lead to data being exposed. The rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone. A misconfigured database on an internal network might not be noticed, and if noticed might not go public, but the stakes are higher when organizational data storage is directly connected to the Internet. Organizations should identify processes for securely configuring all systems, including cloud-based storage, such as Azure Blob Storage, Amazon S3 Buckets, and Elasticsearch.  Once a process is in place, the systems must be monitored for changes to their configurations as change detection is key for securing an organizations cloud storage and preventing inadvertent exposure. These are solvable problems, and tools exist today to help.</p>

Last edited 1 year ago by Irfahn Khimji
Irene Mo
Irene Mo , Senior Consulting Associate
InfoSec Expert
May 21, 2021 12:45 pm

<p>An exposure like this is out of the hands of most end users. There is not much end users can do to prevent the exposure, but end users can take proactive steps to protect themselves when their data does get exposed.</p> <p> </p> <p>My two top-tips for end-users are: 1) set up multi-factor authentication for every account that offers it, and 2) lie on account security questions. With multi-factor authentication set up, even if your passwords are stolen, criminals need another form of authentication to access your account.</p> <p> </p> <p>One multi-factor authentication method is security questions. However, the answers to common security questions, like a user’s childhood street name or their favorite color, can be found publicly online. If a user lies on their security questions, only the user knows how they lied. And to keep track of their lies (a bonus tip), use a password manager.</p>

Last edited 1 year ago by Irene Mo
Dr. Chenxi Wang
Dr. Chenxi Wang , General Partner
InfoSec Expert
May 21, 2021 12:31 pm

<p>This discovery underscores the importance of security-focused app testing and verification. Developers don\’t always know the right things to do with regard to security. The App platforms like Google Play and Apple Appstore must provide deeper testing as well as incentivizing the right behavior from developers to build security in from the beginning.</p>

Last edited 1 year ago by Dr. Chenxi Wang
Baber Amin
Baber Amin , COO
InfoSec Expert
May 21, 2021 12:28 pm

<p>Most users are not going to have the technical ability to evaluate the app, and since the problem is misconfigured access rules on the backend, there is very little end users can do.</p> <p>As the end result is information leakage, which also includes credentials, one thing that end users have control on is good password hygiene.</p> <p>End users can protect themselves to a certain degree by any of the following:</p> <blockquote> <ol> <li>Not reusing passwords</li> <li>Not using passwords with obvious patterns</li> <li>Keeping an eye out for any messages from other services they use on login attempts, or password reset attempts, or account recovery attempts</li> <li>Ask the application owner to support passwordless options</li> <li>Ask the application developer to support native on device biometrics</li> <li>Look for alternate applications that have stated security and privacy practices</li> <li>Ask Google and Apple to do more due diligence on the back-end security of the applications they allow on their marketplace </li> </ol> </blockquote>

Last edited 1 year ago by Baber Amin
Information Security Buzz
6
0
Would love your thoughts, please comment.x
()
x