Connect with us

Hi, what are you looking for?


Data Protection

Android Apps Expose Sensitive Data Due to Misconfigured Third-Party Services

Researchers at cybersecurity firm Check Point discovered that many Android applications publicly expose sensitive user data through misconfigured third-party services.

Researchers at cybersecurity firm Check Point discovered that many Android applications publicly expose sensitive user data through misconfigured third-party services.

The research involved the analysis of 23 Android applications and revealed issues related to real-time databases, cloud storage keys, and push notifications.

The exposed data, which pertains to more than 100 million Android users, includes chat messages, emails, passwords, location information, user identifiers, photos, and more.

The exposed real-time databases, which are meant to store data in the cloud and keep it continuously synchronized with the client, were not protected by any authentication mechanism, a misconfiguration that allowed anyone to access the information, without authorization.

Malicious actors able to access the sensitive data exposed by this commonly encountered misconfiguration could attempt to compromise user accounts on various online services, or even abuse the information for identity theft, Check Point notes.

One of the misconfigured apps was Astro Guru, a popular astrology, horoscope, and palmistry app with more than 10 million downloads, which asks users for personal information such as names, dates of birth, gender, email, location, and payment details.

T’Leva, a taxi app with more than half a million downloads, exposed chat messages, full names, phone numbers, and destinations and pick-up locations.

Advertisement. Scroll to continue reading.

Some of the analyzed apps were found to contain embedded within them the keys for push notification services, making it easy for hackers to access them and send potentially malicious notifications to all of the apps’ users.

Other applications were also found to insecurely use cloud storage services. These include Screen Recorder (with over 10 million downloads), which records the user’s screen and sends the content to the cloud, and iFax (500,000 downloads), which had cloud storage keys embedded within, allowing an attacker to access all of the user’s fax transmissions.

Check Point’s researchers said they contacted both Google and the developers of the misconfigured applications prior to publishing their findings, adding that some of the developers did address the issues after being notified.

Related: Thousands of Mobile Apps Expose Data via Misconfigured Cloud Containers

Related: Unprotected Database Leaks Data of Wyze Users

Related: Thousands of Mobile Apps Leak Data from Firebase Databases

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.