Saturday, October 16 2021

A recent report highlights app developers’ misconfiguration and poor implementation of third party cloud services, which may have exposed sensitive data of over 100 million users.

An investigation of 23 Android applications by researchers at Check Point Research led to the discovery of numerous misconfigurations of cloud services including real-time databases, push notification managers, and cloud storage that could potentially facilitate malicious actors in their misconduct. This not only places sensitive user data—passwords, private chats, device locations, payment details, and more—in jeopardy, but also compromises protection of developers’ internal resources.

Much to the researchers’ dismay, developers of 13 of the applications failed to equip their real-time databases with authentication features. The researchers effortlessly tapped into the real-time database of a taxi booking app with over 50,000 users—with one request, the team was able to access chat messages between drivers and passengers, their locations, phone numbers, and full names.

The researchers also found that the keys used for accessing cloud storage were embedded into the app itself for 10 of the applications. The research team was able to decipher keys used by a screen recorder application to gain access to recordings and fax documents by analyzing the application files. Another app used keys embedded in the application file to send push notifications, which enabled attackers to send fraudulent notifications to users to request personal or payment information.

As third-party cloud services are nearly omnipresent in mobile applications, CPR stressed the need for mobile app developers to use best practices in configuring and implementing cloud services.

Previous

EU Extends Sanctions to Hackers—Banks, Cyber Insurers Face Dilemma

Next

S&P Hints at Rating Downgrades for Poor Cyber… Again

Check Also

Widget

Don’t Miss

Cyber Deal Update: Wiz, EVA Group, Bitglass, & appgate,

Van Michael

Massive expansion continues through acquisition and large-scale capital influx.  Wix raises additional $250 million four months after raising $120 million.  The EVA Group eye’s its seat as a top 3 in France.  Appgate sees $1 billion valuation while going public through NLW’s acquisition. Funding Israeli cybersecurity startup Wiz raises $250 million in latest round of funding at $6 billion valuation.  This […]

CYBER EXECUTIVE MOVES: TransUnion, Kovrr, JLL

Khushi Arora

TransUnion, Kovrr, and JLL nab new chief information security officers. TransUnion, a consumer credit reporting agency based in Chicago, has named Bill Shields as its chief information security officer. Shields joins the company from Visa. Kovrr, an Israel-based cyber risk modelling platform provider, nabbed Philippe Vuilleumier as a member of the company’s chief information security […]

Cyber Deal Update: Orca Security, Carnami, Excygent

Van Michael

Two Homomorphic Encryption outfits fight for superiority through competing rounds of funding. Orca Security closes $550 million in Series C.  Coalition purchases Attune for undisclosed sum.  One Identity acquires OneLogin. Funding Cloud security provider Orca Security closes latest Series C at $550 million.  This round led by Singapore based Temasek provides an updated valuation at $1.8 billion.  This move deepens […]

Cyber Executive Moves: SAIC, Corvus Insurance, Cloudentity

Khushi Arora

SAIC appoints a new CISO, Corvus Insurance gains a new president, and Cloudentity nabs a new chief executive officer with a cybersecurity background. Science Applications International Corporation (SAIC), headquartered in Virginia, has appointed Kevin Brown as its chief information security officer. Brown joins SAIC from medical device company Boston Scientific. Accenture has appointed Jackie Fendrock […]

Cyber Deal Update: Coalition, Akamai, Fireeye & McAfee

Van Michael

Massive growth through expansion and acquisition. SenseOn sees +350% growth. HUB Security buys market access to 40 countries.  Tesserent secures an influx of $25 million to fund yesterday’s acquisitions.  Symphony Technology Group announces plans to buy FireEye’s product business at $1.2 billion with intent to merge McAfee’s enterprise business. Funding In the industry’s mad rush for cybersecurity […]

Cyber DeaL Update: Sternum, Panorays, Ketch

Van Michael

Paris-based Exclusive Networks IPO filing. Latest funding fuels Panoryas’s expansion in the US. LG’s latest buyout drives inroads towards connected car security, while Jungle Disk acquires new product divisions to immediately realize +100% growth. F5’s acquisition of Threat Stack buys real-time threat detection. Funding Exclusive Networks, a Paris-based cybersecurity and cloud solutions provider, filed its […]