Google Play Store apps leak data for millions of Android users – are you at risk?

We use your sign-up to provide content in ways you’ve consented to and to improve our understanding of you. This may include adverts from us and 3rd parties based on our understanding. You can unsubscribe at any time. More info

Security researchers have discovered over a dozen popular Android apps – which have been downloaded more than 140million times from the Google Play Store – have been leaking user data. New analysis from CyberNews has found 14 top Android apps that collectively have been downloaded 142.5million times were misconfigured on the Google-owned Firebase platform. This tool is used to create Android apps, and if something isn’t configured correctly it can lead to serious issues down the line.

In this case, the Firebase misconfiguration could lead to the offending apps leaking sensitive user data such as emails, usernames, an Android owner’s real-name and more.

Researchers said these misconfigurations could enable anyone that knows the right URL to access real-time databases that store user information without any kind of authentication.

CyberNews said they contacted Google to alert the tech giant of its findings and help secure exposed apps’ databases.

But at the time of publishing their research the Android maker and Play Store operator hadn’t replied.

As a result, nine out of the 14 Android apps that CyberNews highlighted are still leaking data – affecting over 30million users.

Google Play Store: How to update on an Android device

In its study online CyberNews said: “Our team’s findings show that 14 top Android apps, collectively downloaded by at least 142.5 million users, have their Firebase real-time databases unsecured, leaving their data out in the open.

“According to CyberNews researcher Martynas Vareikis, this indicates that the app is leaking not only user data, but also their private messages to anyone to access and do with as they please.”

In terms of what Android apps were affected, the research only mentioned apps which have now rectified the data leaking problem.

The most popular affected app was Universal TV Remote Control, which on its own has been installed onto over 100million Android devices.

The next most popular app was Find My Kids: Child GPS watch app & Phone Tracker which had over 10million installs from the Google Play Store.

Hybrid Warrior : Dungeon of the Overlord and Remote for Roku : Codematics – the other apps named by CyberNews – both have over one million installs.

Firebase databases can be used to hold sensitive information such as financial records.

However, they are often managed by developers with no security training – which can make it an easy target for bad actors.

Ray Kelly, principal security engineer at NTT Application Security, said the onus is on developers to make sure the databases are correctly configured.

Kelly said: “It’s up to the developer to add permissions as needed.

“So, why would a developer decide to make the database completely open? Because it’s easy. Oftentimes, developers will take the easy route while coding their apps. Simply opening up the database will certainly speed up their process.”

Unfortunately, any Android users looking for advice on how to keep their device safe need to wait for developers to take action.

That’s because the flaw is a technical problem which can only be fixed with a patch.

Source: Read Full Article