Android: personal data of 100 million users in the wild


The integration of cloud services often leaves something to be desired. As a result, user data is sometimes easily accessible.

Many mobile applications rely on cloud services to store or synchronise their users' data. But this type of architecture is not always well mastered, as security researchers from Check Point have just found. They found 23 popular Android applications where a third party could access users' personal data: messages, passwords, browsing history, emails, screenshots, images, etc.

In total, more than 100 million users were affected by these vulnerabilities. Among the vulnerable applications were a screen recorder, iFax, Astro Guru and Logo Maker.

The reasons for this stem from a lack of competence of the developers. For example, they use real time databases, but as they are not well configured, they are like butter. It is also not uncommon for developers to hard-code access credentials to cloud services into the application. All you have to do then is decompile the application to access them. These bad practices are not new, "but (...) the scope of the problem is still far too broad and affects millions of users," notes Check Point, which alerted all the publishers concerned. The errors have since been partially corrected.

Source :