An alarming new warning for 100 million-plus Android users, with a new report into high-risk apps, “which could lead to fraud and identity-theft.” Worse, there’s no setting you can change to make your phone safe. Here’s what you need to know.
The latest report from the cyber sleuths at Check Point should be a serious wake-up call for Android users addicted to the principle of “there’s an app for that.” This isn’t a malware issue, it isn’t even a fleeceware issue. This is the serious risk you take when you share your data with apps that do not safeguard that data on your behalf.
The issue is stupidly simple. Many apps these days use real-time cloud databases to store your data, your settings and your information. The specific data will depend on the specific app. If it’s photo-related, then it’s your images. If it’s storing emails then it’s emails. But it will always likely include your name, email and a password.
“In an examination of 23 Android apps,” Check Point says, “we saw numerous app developers misusing third party cloud-services… resulting in data exposure of not only themselves, but that of users. Personal data of users included emails, chat messages, location, passwords and photos, among others.”
Check Point isn’t sharing all the names of the apps—albeit a small number are named. I am not listing those few here as it’s just a random sample. But you can see details in Check Point’s disclosure. The risks remain high for users, the firm’s Aviran Hazum tells me “since most of those apps are still vulnerable, we decided to only name a few and not reveal the full list, as this information could be used by a malicious actor.”
Not only is there not the usual list of apps to delete, but there’s no setting you can change on your phone to stay safe. This makes this ever more serious. “There is nothing users can do,” Hazum warns. “Without checking the infrastructure of the app in the cloud, the user can’t know if there is an issue at all.”
As usual with this type of disclosure, there’s no specific evidence of exploits being caught in the wild, but the problem is extensive, and there’s no evidence that there hasn’t already been exploitation. Either way, this is now public domain. And so, until app developers check their vulnerabilities, this issue remains live.
Data accessed from exposed cloud service –Check Point
Check Point says it “successfully accessed sensitive data from Android applications, ranging from 10,000 to 10 million downloads. If a malicious actor gains access to [this] sensitive data, it would potentially lead to fraud, identity-theft and service-swipe, which is trying to use the same username-password combination on other services.”
Technically, the issue is developers adopting a poor security approach, embedding push notification keys or cloud storage keys into their apps. This is often complacency more than ignorance, Check Point says: “Many app developers know that storing cloud-service keys in their apps is bad practice… We found examples of developers trying to ‘cover-up’’ the problem with a solution that did not fix the problem.”
Location and data of birth data also exposed –Check Point
While this report focuses on Android and Play Store apps, this isn’t a Google issue—this is down to app developers to secure their apps. It’s also not limited to Android. Check Point says that iOS apps are also likely impacted. In a cursory search they found one such issue, albeit they have not extensively researched Apple’s App Store here.
“Most of the apps we took a look at are still exposing the data now,” Hazum confirms. “Victims become vulnerable to… impersonations, identify theft, phishing and service swipes. Our latest research sheds light on a disturbing reality where application developers place not only their data but their private users’ data at risk.”
So, because you can’t check for a delete a set of apps, nor can you change a setting, what can you do? Well, on Android you can install security software to mitigate some of your risk. You can also reduce your exposure. Take a sensible approach to the apps you install. Do you really need 3 horoscope apps and 5 different PDF readers?
If an app has a cloud backend, then consider the information you are sharing. If this is private emails or messages, photos, or other personal information , then make sure you can vouch for the provenance of the developer. This only impacts data you share with vulnerable apps—not other data on your phone. Clearly, the mainstream app developers will not be taking these blatant security risks. This is primarily around free or near free apps, with lots of installs, and a relatively unknown developer.
Finally, where you are asked for a password for any such app, make sure it’s unique and not a password you reuse elsewhere. As a rule, you should consider that any cloud app which is not from a mainstream developer might carry this risk, and mitigate your risks accordingly. “Having a cloud storage key embedded into an app,” Hazum warns, is like leaving the key to a locked door under the mat. It renders the lock useless.”