Mobile app developers have potentially exposed the private data of over 100 million Android users, failing to follow security best practices when integrating third-party cloud services into their apps.

Check Point researchers recently analyzed 23 Android apps, including a screen recorder, taxi app, fax service, logo maker, and astrology software, and found the developers were exhibiting their own. and their users.‘ data through a variety of misconfigurations in third-party cloud services.

In 13 applications, sensitive details were publicly available in unsecured cloud configurations.

Sensitive data included chat messages, emails, location details, gender, date of birth, phone numbers, passwords, photos, and payment details. Cybercriminals could easily use this information to carry out fraud, identity theft and service scans.

In a blog post, researchers said they found sensitive details in unprotected real-time databases used by 23 apps, with installs ranging from 10,000 to 10 million.

Some of these apps found in the Google Play Store have had over 10 million downloads, including Astro Guru, Logo Maker, and Screen Recorder. The latter exposed storage keys in the cloud, giving access to users‘ device screenshots.

Some apps also exposed data related to their developers, such as app credentials‘push notification service. Malicious actors can exploit push services to send bogus alerts to app users.

Another Android application, iFax, exhibited cloud storage keys, providing access to a database containing fax transmissions and other documents of more than 500,000 users.

With the taxi service app T‘Leva, Check Point researchers were able to access all messages sent between customers and drivers, names, phone numbers and a variety of other details, by sending a simple request to the database.

‘This misconfiguration of real-time databases is nothing new, but to our surprise, the scope of the problem is still far too broad and affects millions of users. All our researchers had to do was attempt to access the data. There was nothing in place to prevent unauthorized access processing,‘ the researchers said.

‘Most of the apps we found had ‘Lily‘ authorizations and ‘write‘ permissions. That alone could compromise an entire app, not even considering the developer’s success.‘s reputation, their user base, and even their relationship with the hosting market.‘

Last year, a study by the cybersecurity team at Comparitech found that nearly 6% of all Google Cloud buckets are vulnerable to unauthorized access due to configuration issues.

Of the 2,064 open Google Cloud buckets that Comparitech researchers found, 131 were misconfigured and vulnerable to unauthorized access.