Researchers at Check Point released a report showing how roughly 100 million Android users have been exposed to a data leak. The cause is a misconfiguration of real-time databases tied to numerous third-party Android OS applications (13 in total). The specific issue has to do with app developers not being meticulous when integrating their products with third-party cloud services. The result is chat logs, passwords, location data, and numerous other sensitive data logs exposed to threat actors.
Check Point’s report explains the configuration issue behind this Android data leak on a more technical level in the following excerpt:
Real-time databases allow application developers to store data on the cloud, making sure it is synchronized in real-time to every connected client. This service solves one of the most encountered problems in application development, while making sure that the database is supported for all client platforms. However, what happens if the developers behind the application do not configure their real-time database with a simple and basic feature like authentication?
This misconfiguration of real-time databases is not new, and continues to be widely common, affecting millions of users. All CPR researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorized access from happening.
What this situation shows is two major issues — two that are in some ways connected. The first is that application developers often ask for incredibly sensitive data to perform tasks that really do not require it. One example of the applications was a horoscope service that asked for a large amount of personal data. Why on earth do you need to give your extensive background to an automated program for an astrology reading?
Secondly, this shows that privacy and data protections cannot be expected when using any application. Ultimately, users need to be defensive of every single thing they use on their devices. If an app for some frivolous purpose, or even something more serious, asks for a large amount of personal information, perhaps consider whether you truly need to take the risk.
Data leaks are happening at an alarmingly accelerating rate, and ultimately it is up to the individual how much they wish to risk in this technological hellscape.
Featured image: Flickr / Uncalno Tekno