According to a Check Point Research report, many popular Android apps put your personal data at risk due to poorly secured third-party services.

Report highlights several different security vulnerabilities affecting 23 different apps available on Google Play, each with between 50,000 and 10 million downloads. Most of the offending applications collect and store user information, developer data, and internal company resources using insecure real-time databases and cloud storage services. Security researchers were able to find unsecured cloud databases from 13 applications, which means outside actors can also to access.

Other apps have misconfigured push notification handlers, which hackers could use to intercept and modify seemingly legitimate notifications from developers, leaving them with malware, phishing links, or deceptive content.

These vulnerabilities put at least 100 million Android users at risk of fraud, identity theft and malware attacks.

Which Android apps put your data at risk?

Check Point Research claims to have found one or more of these flaws in 23 applications, 13 of which had freely accessible real-time databases. However, the report only calls five of these apps by name:

• Astro Guru: A horoscope app with over 10 million downloads. It stores the full name, date of birth, gender, GPS location, email address, and payment information of each user.
• iFax: A mobile fax application that stores all documents sent by its more than 500,000 users in an accessible cloud database, with cloud storage keys integrated into the application.
• Logo maker: A graphic design application with over 170,000 users. Check Point has found that the full names, account IDs, emails and passwords of all users are accessible.
• Screen Recorder: This app has over 10 million downloads. The report revealed it saves account passwords on the same cloud service that stores the recordings made by the app, making them vulnerable.
• T’Leva: An Angolan taxi app with over 50,000 downloads, this one leaves text history between drivers and riders, location data, full names and phone numbers accessible.

Check Point says it notified the app’s creators, but only Astro Guru responded, and aAll apps are still available on Google Play.

WWhat Android users should do to protect their data?

The first step is to stop using the apps mentioned in the Check Point Research report, but since only five are named, it means there are at least 18 others that store your data without the proper safeguards.

And that’s exactly what we know from the Check Point report – there is probably much more apps, websites, and services with misconfigured databases that we’ll never know about until they’re leaked.

While the report from Check Point Research and others like it may alert developers to unsafe data storage practices, ultimately it is up to the developers to fix the problem. However, users can take preventative measures to protect their personal information and other important data, regardless of the applications they use:

1. Use two-factor authentication (2FA) where possible.
2. Do not disclose personal information from your accounts (do not add your personal address if a service does not need it, for example), or use false information whenever possible.
3. Create unique passwords for each account and use an encrypted password manager.
4. Do not link third party accounts like Google, Facebook and Twitter if you can avoid it.
5. Keep strict minimum application permissions.
6. Use services that inform you violations and compromised accounts.

These additional steps will not stop a violation, but they can mitigate your risk of identity theft, fraud and other scams. We also have guides to prevent and respond to data breaches, ransomware attacks, malware, and identity theftand how to spot the phishing tactics and other online scams.

[Threat Post]