Newly Uncovered Security Flaw Could Affect 100 Million Users, Report Claims

Developers may have overlooked issues

The data of over 100 million Android users could be exposed to hackers due to a flaw in the way the devices handle cloud security, according to a report issued Thursday.

Cybersecurity firm Check Point Research claimed in the study that at least 23 popular mobile apps contain "misconfigurations" of third-party cloud services. The company said that developers of some of the apps didn’t check if security measures designed to prevent data breaches were in place when synchronizing with cloud services.  


"By not following best practices when configuring and integrating third party cloud services into applications, millions of users’ private data was exposed," the researchers wrote.

"In some cases, this type of misuse only affects the users, however, the developers were also left vulnerable. The misconfiguration puts users’ data and developer’s internal resources, such as access to update mechanisms and storage at risk."

The researchers examined 23 Android apps, including a taxi app, logo maker, screen recorder, fax service, and astrology software, and found that they leaked data, including email records, chat messages, location information, user IDs, passwords, and images.

Cybersecurity experts say that developers should have been aware of the vulnerabilities. 

"Developers tend to think that mobile backends are hidden from hackers," Ray Kelly, a principal security engineer at the cybersecurity firm WhiteHat Security, said in an email interview.

"Search engines, such as Google, do not index these APIs, which gives a false sense of security when, in fact, these mobile endpoints can be just as vulnerable as any other website."

By not following best practices when configuring and integrating 3rd party cloud services into applications, millions of users’ private data was exposed.

Developers are under pressure to quickly incorporate new features into their software, Stephen Banda, a senior manager at cybersecurity firm Lookout, said in an email interview. 

"To deploy code quickly, organizations rely on automated software delivery processes to upgrade functionality, apply security patches to keep cloud applications up-to-date," he added.

"Moving at this speed, even with sound change management and security best practices in place, means every organization runs the risk of introducing misconfigurations into their cloud applications."

Was this page helpful?