In one look.

• COVID-19 tracking apps are not meant to be a source of leads.
• Cloud services misconfigured in some Android apps.

COVID-19 tracking app fined for using data for leads

Naked Security reports that the COVID-19 tracking app Tested.me has been fined £ 8,000 by the UK Information Commissioner’s Office (ICO) for ‘spamming without consent’. When entering their data into the app, users encountered a checkbox where they could choose to allow “this place, its alliance [sic] and tested.me to send you marketing materials in the future ”, followed by a statement promising to delete the collected data within twenty-one days in accordance with the guidelines of the General Data Protection Regulation (GDPR). The ICO said the question was too vague, leaving terms like “alliance” and “marketing materials” undefined, and that Tested.me did not specify the methods by which the user might receive future communications. Additionally, the ICO cited the app for the lack of a comprehensive privacy policy detailing the company’s practices. That said, the modest size of the fine is likely a partial explanation for the incident, as the permission request and 21-day deletion policy demonstrate that Tested.me was at least trying to comply with GDPR requirements. Tested.me halted their marketing efforts as soon as they were contacted by the ICO.

Improperly configured cloud services expose users of Android applications.

The Record by Recorded Future reports that after examining 23 Android apps, researchers at Check Point Software found that more than 100 million users had been compromised due to misconfiguration of cloud services. Due to the lack of protections, the researchers were able to access the cloud backend databases of thirteen of the applications, where they found private data such as email addresses, passwords, chats, and images. personal. “All the RCR researchers had to do was try to access the data. There was nothing in place to prevent unauthorized access, ”the study explains. They also detected access tokens for cloud storage or push notifications embedded in the source code of the app, which could allow an attacker to send notifications that appear to come directly from the app. trust, the perfect recipe for a phishing operation. Check Point has released the names of five of the apps in question: Logo Maker, Astro Guru, T’Leva, Screen Recorder, and iFax. Unfortunately, improperly configured third-party services are not a new problem; Zimperium published a study in March that found similar vulnerabilities in Android and iOS apps.