At a glance.
- COVID-19 tracking apps aren't supposed to be a source of sales leads.
- Misconfigured cloud services in some Android apps.
COVID-19 tracking app fined for using data for sales leads.
Naked Security reports that COVID-19 tracing app Tested.me is being fined £8000 by the UK’s Information Commissioner’s Office (ICO) for “spamming without consent.” When entering their data in the app, users encountered a checkbox in which they could choose to allow “this venue, its alliance [sic] and tested.me to send you marketing materials in the future,” followed by a statement promising to delete the collected data within twenty-one days in accordance with General Data Protection Regulation (GDPR) guidelines. The ICO stated that the question was too vague, leaving terms like “alliance” and “marketing materials” undefined, and that Tested.me did not specify the methods by which the user might receive future communications. As well, the ICO cited the app for lacking an overarching privacy policy detailing the company’s practices. That said, the fine’s modest size is likely a partial explanation for the incident, because the request for permission and the twenty-one day deletion policy demonstrate that Tested.me was at least attempting to comply with GDPR requirements. Tested.me halted their marketing efforts as soon as they were contacted by the ICO.
Misconfigured cloud services expose Android app users.
The Record by Recorded Future reports that, after looking at twenty-three Android apps, researchers at Check Point Software found that over 100 million users had been compromised due to misconfiguration of cloud services. Due to missing protections, the researchers were able to gain access to the backend cloud databases of thirteen of the apps, where they found private data such as email addresses, passwords, chats, and personal images. “All CPR researchers had to do was to attempt to access the data. There was nothing in place to stop the unauthorized access from happening,” the study explains. They also detected access tokens for cloud storage or push notifications embedded in the app source code, which could allow an attacker to send notifications that appear to come directly from the trusted app, the perfect recipe for a phishing operation. Check Point released the names of five of the apps in question: Logo Maker, Astro Guru, T’Leva, Screen Recorder, and iFax. Unfortunately, misconfigured third-party services is not a new issue; Zimperium released a study in March that found similar vulnerabilities in both Android and iOS apps.