As you casually input sensitive information into a cryptocurrency app, a dating service, or a shopping platform, you may assume the folks behind the mobile applications are doing their part to protect your data. But according to a new Check Point Research (CPR) investigation, you’d be sorely mistaken.
CPR released a scathing report exposing mobile applications for leaving their users’ personal data unprotected and accessible to hackers. The most unnerving aspect of the investigation is that malicious actors only need one thing to pull off a data breach: a browser.
Dating apps, crypto platforms, health trackers and more: your data may not be safe
During a three-month research study, CPR investigators discovered that a whopping 2,113 mobile apps left their databases exposed and unprotected in the cloud. These apps ranged from 10,000+ downloads to more than 10 million downloads.
Some of the sensitive data CPR researchers spotted included cryptocurrency exchange information, healthcare token IDs, personal family photos, and more. In one harrowing example, CPR uncovered 50,000 private messages from a popular dating app.
“In this research, we show how easy it is to locate data sets and critical resources that are open on the cloud to anyone who can simply get access to them by browsing,” said CPR’s Head of Threat Intelligence and Research Lotem Finkelsteen.
Finkelsteen added that malicious actors can access mobile apps’ exposed databases in a few simple steps that involve searching public-file repositories (e.g. VirusTotal) for mobile apps that use cloud-storage services. “Everything we found is available to anyone. Ultimately, with this research, we prove how easy it is for a data breach or exploitation to occur.”
At this time, CPR is not revealing the names of the mobile apps in question, but the following is a small sample of the 2,000+ platforms that left its users exposed during the investigation period:
- Department store application, one of the largest chains in South America (10 million+ downloads) — Exposed data: API gateway credentials and API key
- Running tracker app (100,000+ downloads) — Exposed data: Users’ GPS coordinates and health parameters like heart rate
- Dating app for people with disabilities (10,000+ downloads) — Exposed data: 50,000 private messages in the open DB of a dating application
- Logo design app (10 millon+ downloads) — Exposed data: 130,000 usernames, emails and passwords
- Social audio platform app for users to share and listen to podcasts (5 million+ downloads) — Exposed data: users’ bank details, location, phone numbers, chat messages, purchase history and more
- Bookkeeping application (1 million+ downloads) — Exposed data: 280,000 phone numbers associated with at least 80,000 company names, addresses, bank balances, cash balances, invoice counts and emails
This study exposes a glaring security issue: mobile apps are too negligent with its users’ personal data. CPR also called out cloud-security developers, concluding that they must take steps to add better protections to their services.