Thousands of Mobile App Cloud Databases Exposed Online

Thousands of Mobile App Cloud Databases Exposed Online

Despite the risk of company data and even user data being exposed, businesses continue to leave their cloud databases unprotected online.

Check Point Research (CPR) discovered 2,113 mobile applications with unsecured databases in the cloud and could be accessed by anybody with a browser during a three-month investigation.

The mobile apps with accessible databases varied from those with over 10,000 downloads to over 10 million downloads. CPR discovered a vast range of private data from the applications, including chat messages, personal images, phone numbers, emails, user names, passwords, and other information.

Lotem Finkelstein, Check Point Software’s head of threat intelligence and research, revealed how the company’s security experts were able to readily locate these unprotected datasets using the free web application VirusTotal, saying:

“In this research, we show how easy it is to locate data sets and critical resources that are open on the cloud to anyone who can get access to them by browsing. We share a simple method of how hackers can do it. The methodology entails searching public file repositories like VirusTotal for mobile applications that use cloud services. A hacker can query VirusTotal for the full path to the cloud backend of a mobile application. We share a few examples of what we could find in there ourselves. Everything we found is available to anyone. Ultimately, we prove how easy it is for a data breach or exploitation to occur with this research. The amount of data that sits openly and is available to anyone on the cloud is crazy. It is much easier to breach than we think.”

Mobile Apps with Exposed Databases


Picture: Penetration Tester

CPR presented many instances from its analysis in a recent blog post without naming the mobile applications that had left their cloud databases exposed online.

For a huge South American department store chain, the first app has been downloaded over 10 million times. CPR discovered API gateway credentials and an API key while scanning VirusTotal. To make matters worse, these credentials were in plain text, which meant that anybody could see them and use them to access the department store’s customers’ accounts.

The next app is a running tracker program that has been downloaded over 100,000 times. It is meant to track and assess a runner’s performance. Its database included users’ GPS locations and other health statistics such as heart rates. An attacker may generate maps to follow the app’s users’ whereabouts with this information.

CPR then discovered an exposed database of a dating platform for persons with impairments. This database had 50k private chat messages and images of the senders. CPR also found an exposed database of a famous logo creation program that has been downloaded over 10 million times. There were 130k users, emails, and passwords in the database.

In addition to these programs, CPR discovered vulnerable databases for a popular PDF viewer and an accounting application.

In the same way, security experts advise customers to safeguard their smartphones, tablets, and computers with strong and complicated passwords, businesses that utilize cloud databases to store data for their mobile apps should do the same.

1 ratings
Paul Syverson
Paul Syverson
Paul Syverson is the founder of Product Reviews. Paul is a computer scientist; he used to carry out a handful of significant studies which contributed to bringing in many special features on the site. He has a huge passion for computers and other tech products. He is always diligent in delivering quality writings to bring the most value to people. |