After examining 23 Android applications, Check Point Research (CPR) noticed mobile app developers potentially exposed the personal data of over 100 million users through a variety of misconfigurations of third party cloud services. Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes.
- CPR discovered publically available sensitive data from real-time databases in 13 Android applications, with the number of downloads that each app has ranging from 10,000 to 10 million
- CPR found push notification and cloud storage keys embedded in a number of Android applications themselves
- CPR provides examples of vulnerable applications: an astrology, taxi, logo-maker, screen recording and a fax app that left users and developers vulnerable to malicious actors
Modern cloud-based solutions have become the new standard in the mobile application development world. Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content.
CPR recently discovered that in the last few months, many application developers have left their data and millions of users’ private information exposed by not following best practices when configuring and integrating third party cloud-services into their applications. The misconfiguration put users’ personal data and developers’ internal resources, such as access to update mechanisms, storage and more, at risk.
Misconfiguring Real-Time Databases
Real-time databases allow application developers to store data on the cloud, making sure it is synchronized in real-time to every connected client. This service solves one of the most encountered problems in application development, while making sure that the database is supported for all client platforms. However, what happens if the developers behind the application do not configure their real-time database with a simple and basic feature like authentication?
This misconfiguration of real-time databases is not new, and continues to be widely common, affecting millions of users. All CPR researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorized access from happening.
While investigating the content on the publically available database, we were able to recover a lot of sensitive information including email addresses, passwords, private chats, device location, user identifiers, and more. If a malicious actor gains access to this data, it could potentially lead to service-swipes (ie. trying to use the same username-password combination on other services), fraud, and/ or identity-theft.
CPR researchers found that Astro Guru, a popular astrology, horoscope and palmistry app with over 10 million downloads, has this misconfiguration. After users input their personal information such as their name, date of birth, gender, location, email and payment details, Astro Guru provides them a personal astrology and horoscope prediction report. Imagine exposing sensitive data for a horoscope prediction!
Storing personal information is one thing, but what about storing real-time data? This is what a real-time database is for. Through T’Leva, a taxi app with over fifty thousand downloads, CPR researchers were able to access chat messages between drivers and passengers and retrieve users full names, phone numbers, and locations (destination and pick-up) – all by sending one request to the database.
A push notification manager is one of the most widely used services in the mobile application industry. Push notifications are often used to flag new available content, display chat messages, emails, and much more. Most push notification services require a key (sometimes, more than one) to recognize the identity of the request submitter. When those keys are just embedded into the application file itself, it is very easy for hackers to take control and gain the ability to send notifications which might contain malicious links or content to all users on behalf of the developer.
Imagine if a news-outlet application pushed a fake-news entry notification to its users directing them to a phishing page. Since the notification originated from the official app, the users would assume the notification was legitimate and sent by the news outlet and not hackers.
Cloud storage on mobile applications is a practice that has skyrocketed in the last few years. It allows access to files shared by either the developer or the installed application. Here are two examples of apps that CPR researchers found on Google Play:
1) With over 10 million downloads, the “Screen Recorder” app is used to record the user´s device screen and store the recordings on a cloud service. While accessing screen recordings through the cloud is a convenient feature, there can be serious implications if developers safeguard users’ private passwords on the same cloud service that stores the recordings. With a quick analysis of the application file, CPR researchers were able to recover the mentioned keys that grant access to each stored recording.
2) The second app, “iFax”, not only had the cloud storage keys embedded into the app, but also stored all fax transmissions there.. With just analyzing the app, a malicious actor could gain access to any and all documents sent by the 500,000 users who downloaded this application.
It is important to note is that CPR approached Google and each of these apps´ developers prior to the publication of this blog to share our findings. A few of the apps have changed their configuration.
How to protect yourself
Mobile devices can be attacked via different ways. This includes the potential for malicious apps, network-level attacks, and exploitation of vulnerabilities within devices and the mobile OS. As mobile devices become increasingly important, they have received additional attention from cybercriminals. As a result, cyber threats against these devices have become more diverse. An effective mobile threat defense solution needs to be able to detect and respond to a variety of different attacks while providing a positive user experience.
Check Point Harmony Mobile is the market-leading Mobile Threat Defense (MTD) and Mobile App Reputation Service (MARS) solution, providing the widest range of capabilities to help you secure your mobile and the data on it.
Top Tech Gifting Ideas for This Friendship Day
The Friendship Day is round the corner. Still looking to buying perfect gifts for your best friends? You can make them feel special by surprising them with gadgets that will help them in their career. If you are confused with the right selection, we have curated a list for you that will help you to plan the special day for your friends.
Sennheiser MKE 400:
Looking for a microphone that will help your friend in creating content with superb audio quality? The Sennheiser MKE 400 is a highly directional on-camera shotgun microphone designed to isolate and enhance the audio for your video. The MKE 400 includes built-in wind protection and integrated shock absorption, while offering even more features to ensure the best possible recordings. Priced at INR 16,900, this is your ideal microphone for creating a good
Sennheiser IE 100 Pro:
Looking for a perfect pair of earphones that will help your friend’s journey in the music industry? This IE 100 Pro earphone guarantees a precise acoustic overview for live performances with a newly developed dynamic driver. The innovative diaphragm delivers a warm sound, yet powerful and rich in detail. Even in extremely loud environments, every aspect remains distortion-free and defined. The IE 100 Pro are ideal for musicians and DJs. for its exceptional sound and high wearing comfort – not only for live sessions, but also for producing. The in-ears match every auricle. A compact design combines a secure fit with excellent wearing comfort. Its robust construction from the connection to the cable duct is designed to be suitable for the rigors of stage use. These earphones come in two variants with a starting price of INR 9,900.
SanDisk iXpand Flash Drive Luxe for Apple Devices
Apple users are in a constant conundrum when it comes to backing up their personal data and chances are that your iPhone has reached its maximum storage capacity in the first few months itself. A one stop hassle free solution is SanDisk iXpand Flash Drive Luxe. This is Western Digital’s first flash-drive with dual Lightning and USB Type-C connectors that allows users to save and back up their data without fuss. It provides a sleek experience to seamlessly access and move files between Apple™ devices, and USB Type-C devices, including Android™ smartphones. If you want to free up space and/or automatically back up your content without the headache of a poor internet connection, this drive is a must-have. Price – 64GB, 128GB and 256GB storage variants | Rs 4,449, Rs 5,919 and Rs 8,999respectively on Amazon India
The perfect vlogging camera for your #InstaObsesed Best friend – Canon EOS M50 Mark II
Looking for a camera that will help your friend become the influencer she dreams to be? Here is the perfect professional camera that will take the quality of your friend/s vlogs a notch higher and become the professional she aspires to be. Lightweight and stylish, the EOS M50 Mark II is fun and easy to use with Wi-Fi connectivity for content creators to stay close to their audience at all times. Your friend can record all her videos easily whether it is a makeup tutorial or a workout session, at the tap of a button. She can keep her social media feed lit with high-quality visual storytelling in 4K and accurate eye and face detection autofocusing. The EOS M50 Mark II also features an enhanced Eye Detection AF, which is able to detect and focus on a subject’s eye even when the person is far away. This will ensure the eye will always stay in focus, making it possible to use Eye Detection AF for full body shots in addition to the common upper body portrait shot. Users can capture subjects quickly and accurately when they are approaching from a distance, making it great for candid shots as well!
- In-camera YouTube live streaming for real-time video engagement
- Film vertical videos in 4K for social media
- Wireless connectivity with smartphone and cloud storage
- Price: INR 58, 995/-
Logitech Pebble M350 has been designed to be extra slim, while still fitting naturally in the palm of your hand. Sporting a sleek and smooth organic shape that’s fits not only in the hand but in the pocket or bag without feeling bulky. The silent clicking and scrolling, ensures undisturbed work for both the user and those around. It comes in 3 trendy colours, off-white, rose, and graphite, which are subtle natural tones but will add a splash of oomph to her work station. The Logitech Pebble is designed with super sturdy built material, and is undoubtedly the ideal choice this friendship Day. Currently available at a discounted price of INR 1,695 on Amazon.in.
With a perfect blend of cutting-edge technology and sleek aesthetics, K380 is a minimalist, modern and slim keyboard that easily connects to any Bluetooth® wireless device. The space-saving keyboard layout works with computers, laptops, phones or tablets and offers the perfect desk set-up wherever you go. The Logitech K380 Multi-Device Bluetooth Keyboard brings the comfort and convenience of desktop typing to your computer, smartphone and tablet. Help your friend to connect with up to three devices, instantly switching among them with the Easy-Switch™ buttons. Currently available at a discounted price of INR 3,195 on Amazon.in.
Acer Day Sale is Back with Exciting Deals, Check All Details
The annual Acer Day celebration is back this year and will be held virtually across 10 Asia Pacific regions. Acer Day Sale in India is all ready to begin on August 3rd and it will continue for three days till August 5th. The three-day sale will be available exclusively on Acer E-store. The sale event which features fabulous rewards, promotions, and gifts has been themed ‘Live Your World’ to encourage everybody to make the best of whatever situation they are in.
The biggest offer of the year from Acer gives customers a chance to get laptops at half price, premium laptop bag worth Rs 7800, True Wireless Headset worth Rs 2499 and discount coupons from purchase from Acer India E-store between 3rd to 5th August through lucky draw. On purchase of Acer Gaming laptops from Acer E-store customers gets 3-year warranty + 1st Year Accidental Damage protection and Nitro Gaming Headset Free. On purchase of Acer non-gaming laptops from Acer E-store customers gets 3-year warranty + 1st Year Accidental Damage protection and laptop bag free. To add to this customers also get No Cost EMI on Acer laptops to ensure an easy buying process. Acer is also offering True Wireless Earbuds FREE with Acer tablets. Offers also extends to Air Purifiers which helps to keep your home air pure
“Most of us are encouraged to stay home and reduce social activities. However, we want to tell all our fans that staying at home does not mean you have to be alone. The Acer Day theme of ‘Live Your World’ this year draws inspiration from the belief that all of us can make the best of any situation and continue to live our lives, no matter where we are and what constraints we are under. Technology has broken barriers and enabled people to stay connected even more. We believe music is the best medium to transcend borders and circumstances, that’s why we are inviting the artists to create a special song -Live Your World,” said Andrew Hou, President of Acer Pan Asia Pacific Operations.
Commenting on the special occasion, Sudhir Goel, Chief Business Officer, Acer India on this announcement said, “The year 2021 marks the fifth edition of Acer Day and we invite our customers to join our celebration themed ‘Live Your World’ to. Every year, Acer celebrates with our fans with great offers and products on sale as well as engaging activities. This year we have taken a step further and has brought in our best offers so far across our laptops, tablets, air purifiers, monitors and some great lucky draw prizes. We encourage all of our audience to come celebrate with us and avail our fantastic offers.”
Also, From 6th August 2021 until 30 August 2021, customers who purchase select Acer models from any Acer authorized online store or offline retail shop will be rewarded with 3 years warranty, 1st year accidental damage protection along with No Cost EMI on Acer laptops.
Acer has prepared a series of performances and activities that will go live at 5.30 pm on 7 August 2021 as a platform for everyone to connect simultaneously this year. The livestream of the event can be viewed together by all at Acer Facebook.
Amazon Brings Mega Home Monsoon Offer, Save Big on Appliances
Amazon.in announces the ‘Mega Home Monsoon Offer’ starting with a host of exciting deals on monsoon-relevant home appliances such as Washing Machines, Double Door Refrigerators, Microwave Ovens, Dishwashers, and much more. The great deals and offers will be live until 11:59 PM on 29 July 2021.
During the “Mega Home Monsoon Offer”, customers can look forward to savings on some of the best home-appliance brands such Samsung, LG, Whirlpool, Haier, and Godrej. They can also save more with an additional 10% discount through SBI Credit Card and shop conveniently with scheduled delivery, exchange offers, no-cost EMI options, installation and more.
Here are some of the offers by participating sellers:
- Washing Machines starting INR 6999
- Fully Automatic Top load washing machines starting INR 9,999 with no-Cost EMI starting INR 941 per month | Exchange available
- Front Load Washing Machines starting INR 1,055/month | Exchange available
- Up to 30% off on top Brands- Samsung, LG, Whirlpool
- Wi-Fi Enabled Smart Washing Machines from Samsung, LG | Starting INR 32,999 | Affordable EMIs
- Top Load Washing machines with heaters | For germs killing | Starting INR 17,200
- Samsung 6.5kg Fully automatic Top load washing machine at INR 14,190
- Basics Fully Automatic Washing machines starting INR 9,999
- Exciting new launches from top brands like IFB, Samsung and Whirlpool starting from INR 7,700
- Up to 35% off on refrigerators from top brands such as LG, Samsung, Whirlpool, Haier, Godrej and more
- Energy efficient refrigerators starting INR 13,490
- Convertible refrigerators starting INR 21,790
- Up to INR 12,000 off on side-by-side refrigerators on exchange
- Up to 45% off on dishwashers specially designed for Indian Kitchens
- Voltas Beko dishwasher starting at just INR 21,490
- Up to 45% off on Microwave Ovens
- Solo microwave ovens starting INR 44,99
- Prepare tasty dishes this monsoon season with Microwaves starting just INR 212/month
Gadgets5 days ago
Lapcare Unveils High-performance NVME and M.2 SSDs under the Lapdisc Range
Gadgets5 days ago
Best 5 Portable Projectors for Theatre-like Experience at Home
CCTVs5 days ago
TP-Link TAPO C200 Wi-Fi Camera Launched with Motion Detection
Trending4 days ago
Amazon Brings Mega Home Monsoon Offer, Save Big on Appliances
TV3 days ago
Check Out The Top 5 LED TVs Under 30,000
Gadgets4 days ago
Gizmore Unveils GIZFIT 910 Smartwatch with Calling Function
Gadgets4 days ago
AVerMedia Launches Live Streamer NEXUS and MIC 330 Setup for Streamer
Apps3 days ago
Koo App Adds Yellow-tick Verification, Applications Now