These popular Android applications risk user data

by - – A Check Point Research report shows that numerous popular Android applications are jeopardizing your personal data due to poorly secured third-party services.

The report highlights various security flaws that affect 23 different Google Play apps, each with a download rate of between 50,000 and 10 million. Most of the offending apps use unsecure real-time databases and cloud store services to collect and save user information, developer information and internal company resources. The safety investigators have found the unbacked cloud database from 13 applications, which also enables external actors to access it.

Other applications have incorrectly configured Push Notification Managers which hackers might use to intercept, alter, or mislead developers’ seemingly legitimate notifications.

At least 100 million Android users are at risk of fraud, identity theft and malware attacks with these vulnerabilities.

What Android applications are jeopardizing your data?

Check Point Research states that one or more of these faults have been found in 23 apps, of which 13 have open access to data in real-time. Five of these apps are only named in the report, however:

  • Over 10 million downloads for Astro Guru: a horoscope application. It stores the full name, birth dates, sex, GPS, email and payment information of each user.
  • iFax: a mobile fax app which stores all documents sent to an accessible cloud database by its 500,000 plus users—including a cloud storage key.
  • A graphic design app with over 170,000 users. Logo Maker: Check Point found that complete usernames, account identifications, emails and passwords are available to all users.
  • Screen Recorder: More than ten million downloads have been installed in this application. It reveals that it saves passwords on the same cloud service that stores the app’s records, leaving them vulnerable.
  • T’Leva: Specifically The Angolan taxi-hail app leaves text history between riders, local data, full names, and telephone numbers accessible for more than 50 000 downloads.

Check Point tells app creators that it has notified, but only Astro Guru has replied, and all apps are available on Google Play.

What should Android users do to safeguard their information?

The first step is to stop using the applications that are mentioned in the report of Check Point Research—but only five of them are listed, which means at least 18 other applications are stored without proper protection.

This is only what we know from the report by Check Point — many more apps, web sites and faulty database services are probably unknown until after a leak.

Although Check Point Research and other reports like this may alert developers to unsafe data storage, developers will ultimately be responsible for fixing the problem. However, users can take preventive action, regardless of what apps they use, to keep their personal information and other important information safe:

  • Whenever possible, use two-factor (2FA) authentication.
  • Withholding your personal information (if a service doesn’t need it, for example), or using fake info as much as possible (do not add your address to your home address).
  • Build unique passwords and use an encrypted password manager for every account.
  • If you can prevent it, do not connect third-party accounts such as Google, Facebook and Twitter.
  • Keep bare minimum application permissions.
  • Use services to inform you of infringements and compromised accounts.

These additional measures will not stop an infringement, but may mitigate your risk of identity theft, fraud and other scams. We also have guidelines to avoid and react to data infringements, ransomware attacks, malware and identity theft, and to detect phishing and other online scams.