Poorly created apps have left the data of 100 million Android users exposed, a cyber security research firm has said.
Check Point Research analysed 23 Android apps downloaded through Google Play and found that the lack of security safeguards built into online platforms left users’ personal information exposed.
“We were able to recover a lot of sensitive information including email addresses, passwords, private chats, device location, user identifiers, and more,” stated a Check Point Research report.
“If a malicious actor gains access to [this] data it could potentially result in service-swipes, that is, trying to use the same username-password combination on other services, fraud, and identity theft.”
More than 50 million personal chat messages have been exposed through misconfigured real-time databases, the research showed, while the browser history of a further 10 million has been left vulnerable.
In other instances, tens upon millions of email addresses, pincodes, location information, phone numbers, profile images, nicknames and Facebook IDs were exposed.
Check Point researchers analysed Astro Guru, a popular astrology app that had been downloaded more than 10 million times, and uncovered users’ personal information such as name, date of birth, gender, location, email and even payment details.
In another app called T’Leva, a taxi app that had been installed more than 50,000 times, the researchers were able to access chat messages between drivers and passengers, find users’ full names, phone numbers, destination and pick-up locations just through a single request to the database.
Analysis of other data storage apps like Screen Recorder and iFax, which have more than 10 million and 500,000 downloads respectively, revealed that malicious actors were able to “gain all access to all documents”.
The researchers did not need to take great efforts to ‘hack’ into the app, the report said, meaning the information was available for anyone who knew how to look for it.
“All our researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorised access from being processed,” the report said.
Check Point researchers stated they reached out to Google and each of the app developers before publishing their research, and a number of them have since changed their configurations.