Sloppy Code Exposes 100 Million Android Users

Published · May 22, 2021

On May 20, 2021, five Check Point Software researchers published a report on exposing weak points in 23 Android apps from the Google Play store. The vulnerabilities reportedly granted the research team access to personally identifiable information of over 100 million users.

The developers behind some of the apps failed to patch up the liabilities in time for the responsible disclosure, Check Point claims. That means the vulnerabilities can still be exploited in the wild by hackers.

Hackers Exploiting Weak Authentication

The most prevalent issue mentioned in the report is a poorly configured real-time database. Such databases are incredibly useful for mobile apps, as they can handle quickly changing data and work cross-platform.

However, like with any database, proper authentication should be implemented.

The problem was that several of the apps had their databases completely open.

Anyone could send a simple query to the database and get user emails, gender, location, phone number, and even chat data. Popular logo maker app called Logo Maker even stored plain text passwords in the database, which is a glaring security issue in and of itself.

What’s more, most of the apps left write access open as well. An adversary could easily use nasty XSS tricks to exploit the app server or any user’s device.

What’s particularly odd about this situation is that most real-time databases make it relatively easy even for a complete beginner to implement proper authentication. Services like Google Firebase, for example, will persistently warn users if they leave the permissions open.

Developers Neglect Security Measures

The second prevalent issue is the publicly available cloud storage keys.

While it might be useful to have an app store files like photos or videos in third-party storage, the keys to actually access them should be kept secret. Otherwise, anyone could download files uploaded by all users.

Surprisingly, many software embed access keys directly into the phone apps. For example, the Screen Recorder application exposed recordings by 10 million users in this manner.

The last big issue that surfaced is quite similar. In this case, app files contain the key developers use to authenticate themselves when sending push notifications.

Anyone who accesses the key could impersonate the devs and send push notifications to users’ mobile devices.

Although this doesn’t expose any data directly, it’s easy to see how it can be abused. A hacker might send links to phishing sites via notifications or try to sneak in malware onto the phones.

As mentioned before, Check Point did notify each app’s developers in advance to patch up the vulnerabilities before the info goes public. All the same, the final report states that many failed to secure their applications properly even after knowing about the problem.

A few even tried to sweep the issue under the rug without really fixing it. iFax encoded its passwords in Base64. This is not even an encryption method and can be converted back into a readable key in just one line of code.

The reports really show the twofold problem in the world of software—the attempts by hackers to exploit software and the neglect of many developers when designing apps.

Everyone should be careful where they leave their personal data and employ tools to protect their identity in case of a data breach.

Branko Krstic
Branko Krstic

Branko is a round-the-clock tech geek and loving it. His ideal vacation destination is the Akihabara District (or really any place he can take his computer). If there’s a server out there, count on him to find out what it’s made of… and tell you all about it.