At a glance.
- COVID-19 tracking apps aren't supposed to be a source of sales leads.
- Misconfigured cloud services in some Android apps.
COVID-19 tracking app fined for using data for sales leads.
Misconfigured cloud services expose Android app users.
The Record by Recorded Future reports that, after looking at twenty-three Android apps, researchers at Check Point Software found that over 100 million users had been compromised due to misconfiguration of cloud services. Due to missing protections, the researchers were able to gain access to the backend cloud databases of thirteen of the apps, where they found private data such as email addresses, passwords, chats, and personal images. “All CPR researchers had to do was to attempt to access the data. There was nothing in place to stop the unauthorized access from happening,” the study explains. They also detected access tokens for cloud storage or push notifications embedded in the app source code, which could allow an attacker to send notifications that appear to come directly from the trusted app, the perfect recipe for a phishing operation. Check Point released the names of five of the apps in question: Logo Maker, Astro Guru, T’Leva, Screen Recorder, and iFax. Unfortunately, misconfigured third-party services is not a new issue; Zimperium released a study in March that found similar vulnerabilities in both Android and iOS apps.