: Aviran Hazum, Aviad Danin, Bogdan Melnykov, Dana Tsymberg and Israel Wernik, Research by Intro Modern cloud-based solutions have become a standard in the mobile application development world. Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. However, developers often overlook the security aspect of these services, their configuration, and of course, their content. This research will describe the broad issue with misusing cloud-services – by both configuration and implementation – and portray the impact of “bad practices” on application developers and their users. Overview Check Point Research (CPR) recently discovered that in the last few months, many application developers put their data and users’ data at risk. By not following best practices when configuring and integrating 3rd party cloud services into applications, millions of users’ private data was exposed. In some cases, this type of misuse only affects the users, however, the developers were also left vulnerable. The misconfiguration put users’ personal data and developer’s internal resources, such as access to update mechanisms and storage at risk. In this research, CPR outlines how the misuse of real-time database, notification managers, and storage exposed over 100 million users’ personal data (email, passwords, names, etc.) and left corporate resources vulnerable to malicious actors. Misconfiguring Real-Time Database Real-time database allows application developers to store data on the cloud, making sure it is synched in real-time to every connected client. This service solves one of the most encountered problems in application development, while making sure that the database is supported for all client platforms. But what happens if the developer behind the app does not configure their real-time database with one of the most basic features – authentication? This misconfiguration of real-time databases is not new, but to our surprise, the scope of the issue is still far too broad and affects millions of users. All our researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorized access from being processed. While investigating the content on the publically available database, we were able to recover a lot of sensitive information including email addresses, passwords, private chats, device location, user identifiers, and more. If a malicious actor gains access these data it could potentially result in service-swipes (ie. trying to use the same username-password combination on other services), fraud, and identity theft. Astro Guru, a popular astrology, horoscope and palmistry app with over 10 million downloads, had the same issue.  After users input their personal information including their name, date of birth, gender, location, email and payment details, Astro Guru provides a personal astrology and horoscope prediction report. Imagine losing sensitive data for a horoscope prediction! Storing personal information is one thing, but what about storing real-time data? This is what a real-time database is for. Through T’Leva, a taxi app with over 50,000 installs, we were able to access chat messages between drivers and passengers and retrieve users full names, phone numbers, and locations (destination and pick-up) – all by sending one request to the database. As mentioned earlier, this type of data exposure affects both developers and users. From the developer’s perspective, it is possible to alter the behavior of an app if actions are taken based on the data available on this type of platform. Moreover, most of the apps we have found had ‘read‘ permissions and ‘write’ permissions. This alone could compromise an entire application, not even considering the hit to the developer’s reputation, their user-base, or even their relationship with the hosting market. Push Notifications Push notification manager is one of the most widely used services in the mobile industry. Developers need to send push notifications to engage with users. For instance, push notifications are used to flag newly available content (like a new video posted), display chat messages, emails, and much more. Most push notifications services require a key (sometimes, more than one) to identify the identity of the request submitter. What happens when those keys are just embedded into the application file itself? While the data of the push notification service is not always sensitive, the ability to send notifications on behalf of the developer is more than enough to lure malicious actors. Imagine if a news-outlet application pushed a fake news entry notification to its users that directed them to a phishing page requesting that they renew their subscription. Since the notification originated from the official app, the users will not suspect a thing, as they are sure that this notification was sent by the developers. Cloud Storage Cloud storage on mobile applications is an elegant solution to access files shared by either the developer or the installed application. Let’s take, for example, two apps that we have found on Google Play. With over 10 million downloads, an app named “Screen Recorder” is used to record the device’s screen and store the recordings on a cloud service. While accessing screen recordings through the cloud is a convenient feature, there can be serious implications if the developers embed the secret and access keys to the same service that stores those recordings. With a quick analysis of the application file, we were able to recover the mentioned keys that grant access to each stored recording. The second app, “iFax”, not only had the cloud storage keys embedded into the app, but also stored all fax transmissions. After analyzing the app, we found a malicious actor could gain access to all documents sent by more than 500k users who downloaded this application. For ethical reasons, CPR did not access the storage account with the keys. We pulled evidence through the actual code of the apps to showcase that this type of sensitive information is accessible. Cover ups Many developers know that storing cloud services keys in their application is bad-practice. After analyzing dozens of cases, we found a few examples of keeping this issue “out of sight, out of mind” – ie. developers tried to “cover-up” the problem with a solution that did not fix the problem. Hiding the keys Below are a few examples of such misuse of cloud services keys. After inspecting a publicly available application with a free open source tool like “Jadx”, we can take a look into the application’s code and see the developer’s logic. In the example below, the developer used a Base64 encoding in order to hide the key. Base64 is not only reversible, it also does not have a need for any shared secret. All we had to do was to take the same line of code, and just print the outcome of the decoding function, in order to be provided with the app’s keys. Even if the application’s does not use clear-text keys, all that is needed is to find the piece of code that initialize the cloud service interface, which mostly receives those keys as parameters, and follow their value. Eventually, if the keys are embedded into the app, we will get their value. Vulnerable malware To emphasis that this a developer issue, we researched mobile malware developers that implemented bad practices into their mobile malware. Let’s take a look at the that Check Point Software previously reported on. CopyCat malware The CopyCat malware stores their cloud service credentials inside a class file, while its XOR encoded.  A quick analysis of the malware application allowed us to uncover the keys for the cloud-storage service that CopyCat use, and allow us to, if we wanted, to alter all of the data that exists on the storage. This storage is used for a few key components of the malware – as a hosting service for malicious payloads that are downloaded by CopyCat, and even as an update utility for the malware components. How to protect yourself Check Point Harmony Mobile is the market-leading Mobile Threat Defense (MTD) and Mobile App Reputation Service (MARS) solution, providing the widest range of capabilities to help you secure your mobile workforce. Check Point Harmony Mobile MARS solution automatically scans and identifies mobile security threats and vulnerabilities. Learn more Appendix 1 – Vulnerable Applications: Google Play Installs Data Breached Vulnerability 10M+ Personal Chat messages Exposed Realtime DB 10M+ Group info, Chat messages Exposed Realtime DB 10M+ User’s messages Exposed Realtime DB 10M+ Chat messages Exposed Realtime DB 10M+ Browser history with complete urls, Can identify person browser history and get credentials from URL Exposed Realtime DB 10M+ Chat messages Exposed Realtime DB 10M+ Phone number, Name, email, profile images Exposed Realtime DB 10M+ Device id, facebook id, nickname, text message Exposed Realtime DB 10M+ emails and pincode Exposed Realtime DB 10M+ email, username and clear text passwords Exposed Realtime DB 10M+ Users information like location Exposed Realtime DB 50k+ Private chat and location Cloud-Storage keys embedded 10M+ Contains user screen records Cloud-Storage keys embedded 500K+ logs, test apps, billing reports, websites data, invoices Cloud-Storage keys embedded 500K+ website, user profiles, reports, users documents Cloud-Storage keys embedded 500K+ website, receipts, images, users backups Cloud-Storage keys embedded 100K+ other apps, website, profiles, images, mobile apps (debug version) Cloud-Storage keys embedded 100K+ uploads, images Cloud-Storage keys embedded 100K+ shared recording from users, Notification Push Keys embedded 100K+ remove subscribers, send push notifications, etc.. Exposed Realtime DB 50K+ personal data (names, mails, phone numbers) Cloud-Storage keys embedded 50K+ dev, qa, staging, logs, admin back up Cloud-Storage keys embedded 10K+ admin site, user photos and images Cloud-Storage keys embedded,Exposed Realtime DB

Check Point

Dana

Facebook

Google

Visit us

Too Long; Didn't Read

Automate Security Across All Your Cloud Environments

Research: The Misconfiguration of Real Time Databases in Mobile App Development

Too Long; Didn't Read

Companies Mentioned

Check Point Software

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Research: The Misconfiguration of Real Time Databases in Mobile App Development

Too Long; Didn't Read

Companies Mentioned

Check Point Software

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES