Google Play, Apple App Store Are 'Large Malware Distribution Platforms'

Mobile app developers have potentially exposed the personal data of more than 100 million Android users. That’s according to Check Point Research (CPR).

CPR examined 23 Android apps. Mobile app developers potentially exposed Android users’ data through a variety of misconfigurations of third-party cloud services.

In the last few months, many app developers have left their data and millions of users’ private information exposed. They did so by not following best practices when configuring and integrating third-party cloud services into their apps. The misconfiguration put users’ personal data and developers’ internal resources at risk.

CPR recovered sensitive information including email addresses, passwords, private chats, device location, user identifiers and more. If a malicious actor gains access to Android users’ data, it could potentially lead to service swipes or trying to use the same username-password combination on other services, fraud and/or identity theft.

Unsecured Storage

Michael Isbitski is technical evangelist at Salt Security.

Salt Security’s Michael Isbitski

“Some of these issues uncovered … are similar to what we covered in the iPhone recorder incident,” he said. “Mobile application developers often make use of cloud-hosted databases and data storage, such as AWS S3, to store content for mobile clients. Such cloud services provide essentially unlimited storage, that is accessible from anywhere. And that is perfect for the world of mobile connectivity.”

However, CPR uncovered data stored in cloud that didn’t require authentication and was accessible to anyone, Isbitski said.

“Mobile app developers should make use of the Android keystore and keychain mechanisms that are backed by the hardware security module of the mobile device,” he said. “Developers should also make use of the Android encryption mechanisms when storing other sensitive data client-side.”

Securing Mobile Apps

Ray Kelly is principal security engineer at WhiteHat Security.

WhiteHat Security’s Ray Kelly

“Developers tend to think that mobile backends are hidden from hackers,” he said. “Search engines, such as Google, do not index these APIs. [That] gives a false sense of security when in fact these mobile endpoints can be just as vulnerable as any other website. This is considered security through obscurity in the cybersecurity industry. It’s akin to hiding your house key under your doormat and thinking your house is safe. Ensuring that a mobile application is secure requires that the application’s binary, network layer, backend storage and APIs are all tested thoroughly for security vulnerabilities that can lead to issues such as data leakage.”

Dirk Schrader is global vice president of security research at New Net Technologies (NNT). He said Google Play and Apple’s App Store are basically large malware distribution platforms. That’s if the platform itself, and what is in it, are not managed well.

“That notion of ‘managed well’ includes apps where, like in this case, the central data repositories are in the cloud and misconfigured,” he said.

Both Google and Apple have a responsibility here, Schrader said. That’s because users are made to believe that each app they download from these stores certain quality criteria.