Android mobile security
Secrets and keys embedded into apps: 100+ million Android users exposed.
A study of 23 Android apps conducted by Check Point reveals that misconfigurations in the apps leaked sensitive data from more than 100 million users. All apps are available on the official Google Play store with downloads ranging from ten thousand to ten million.
According to the researchers, it is because the Android apps have not followed best practices when integrating and configuring third-party cloud services into their apps that has resulted in the exposure of millions of users’ private data.
App data should always be protected. It’s as simple as that.
According to Hackersnews, the researchers found that app developers embedded keys required for sending push notifications straight into the apps.
This could not only make it trivial for malicious actors to send rogue notifications to all users on behalf of the developer but could also be exploited to direct unsuspecting users to a phishing page, thus becoming an entry point for more sophisticated threats.
Several of the vulnerable apps tested also had the cloud storage keys embedded, potentially giving malicious actors access to for example email addresses, phone numbers, user screen recordings, private chats, and locations.
Furthermore, developers were left vulnerable. The misconfigurations also put the developer’s internal resources, such as access to update mechanisms, storage, and more at risk.
App data should always be protected. It’s as simple as that. Not obfuscated or hidden away, but protected. Luckily there are easy to deploy tools available to help app developers prevent information leakage.
App developers need proper solutions for securely storing and protecting app assets, both locally on the end-user device and inside a published app. Promon’s App Asset Protection features, Secure Local Storage (SLS), and Secure Application ROM (SAROM) will help you keep your app assets safe.