Comparitech research team led by cybersecurity expert Bob Diachenko have reported that 24,000 Android Apps leak user data through wrong configurations on Google Firebase, a popular program used by nearly 30% of apps on the Google Play Store.
Even so, Dallas-based security firm Zimperium has found that more than 18,000 iOS and Android apps are leaking their user-sensitive data from improperly secured cloud servers. Data leaking incidents due to setup failures have been a main cause of exposure when services store sensitive data in the cloud. Instead of diligently restricting who can access that information, companies too often misconfigure their defenses. In other words, it’s a clear invitation for malicious actors and the equivalent of leaving the doors open at your house before going on a trip.
In their analysis, Comparitech experts analyzed 515,735 Android apps (roughly 18% of apps available on Google Play), and discovered 155,066 using Google’s Firebase databases. They found that 4,282 from the selected apps were disclosing sensitive data like:
- Usernames: 4,400,000+
- E-mail addresses: 7,000,000+
- Passwords:1,000,000+
- Full Name: 18,300,000+
- Phone numbers: 5,300,000+
- Chat messages:6,800,000+
- GPS data: 6,800,000+
- Street addresses: 560,000+
- IP addresses: 156,000+
When it comes to vulnerable app category and Firebase configurations, game apps ranked the highest with 24.71%, followed by education apps with 14,72%, entertainment with 6.02%, business apps with 5.28%, and travel and location apps with 4.31%.
9,014 Apps Included Write Permissions
The Comparitech team also found that 9,014 of the apps analyzed included write permissions which would allow malicious actors to modify, add, or remove sensitive data on the server, in addition to viewing or downloading it.
Attackers who also gain write access could introduce fake data into apps, scam or phish users, and ultimately, spread malware. A piece from Techshielder reveals that apps compatible on both iOS and Android have a greater chance of containing bugs that could get your data hacked.
The risk of exposure for Android and iOS users alike is significantly high, considering that perilous apps have been downloaded more than 4 billion times.
Comparitech has already notified Google on April 22 and sent a full report of their findings. The same team says that it will reach out to app developers with suggestions for revising potential configurations that have gone wrong.
Cyber Hygiene – What Can Android Users Do?
-
Stop Recycling Passwords Across Multiple Accounts
We know you’ve probably heard it dozens of times, but somehow this advice is still overlooked by many. A study from SecureAuth shows that 53% of respondents admitted using the same passwords across multiple accounts.
Using strong passwords on all of your accounts is as critical as locking your doors when you leave on holiday. Note that your passwords should contain at least ten characters along with symbols, numbers, and capital and lowercase letters. A more complex password makes it harder for malicious actors to crack it using dictionary attacks in the hopes of guessing your password. If you wish for your password to be truly uncrackable, you can use random password generators and get a random assortment of symbols, numbers, etc.,
-
Multi-factor Authentication a Must on All of Your Devices
The truth is a strong password isn’t enough to hinder the most determined cybercriminals. Applying multi-factor authentication on your android devices will provide an extra layer of security that makes it harder for anyone that isn’t you to access your device.
MFA feature works by asking you to verify your identity through a one-time code or password set on your device, mail, or app when you log in. For instance, if you’re logging into Facebook using multi-factor authentication, you might be prompted to enter the four-digit code sent on your device as an extra step. This guarantees that outsiders can’t just log into an account with a password in case that password has been breached.
The MPA features allow you to choose how often they pop, varying from locations or every login to just logins from new devices. To activate your MPA on your Android, all you need to do is to enter the settings and privacy section, where you should be able to modify authentication settings.
-
Read the Privacy Policy and See What You’re Sharing With the App
If you’re not a seasoned attorney, it’s safe to assume you don’t read every word of the Terms & Conditions you agree to.
While apps are required by law to outline what they do with the information you give them in those policies, it’s usually not that simple. Most services and companies are masters are creating confusing language or burying essential information deep in the text of their terms.
When you download an app and provide them your name, email address, and other personal details, you’re basically handing over key information that makes you a prime target. Perhaps you knew it already, but what do you do without your favorite fitness or meditation app?
The golden rule here is that if you’re not paying for a service with money, you’re paying with your data. So, pay attention to free apps in particular – these are never truly free and should not be trusted with your personal data. If you simply can’t live without your free app, take the extra time to comb through Privacy Policy and be wary of trusting them with too much information.
You may also need to look for what type of information they collect, and most importantly, how they collect it. Does the service plan on trading it or using it? For instance, a trustworthy app must clearly state that the only information they take from you is what’s necessary for your account creation and billing. It should explicitly state that they need your name, email address, and billing information.
Unfortunately, with so many apps burying valuable details deep into their policies, there’s no specific step you can take to protect yourself against sensitive data leaks. All you can do is limit the amount of data you share online and try to stick to services that follow the latest GDPR laws.