When you casually enter sensitive information into a cryptocurrency app, dating service, or shopping platform, you can assume that the people behind the mobile apps are doing their part to protect your data. But according to a new survey from Check Point Research (CPR), you are very wrong.
The CPR released a scathing report exposing mobile apps for leaving their users’ personal data unprotected and accessible to hackers. The most troubling aspect of the investigation is that malicious actors only need one thing to pull off a data breach: a browser.
Dating apps, crypto platforms, health trackers and more: your data may not be safe
During a three-month research study, CPR investigators found that 2,113 mobile apps left their databases exposed and unprotected in the cloud. These apps ranged from over 10,000 downloads to over 10 million downloads.
Some of the sensitive data CPR researchers spotted included cryptocurrency exchange information, healthcare token IDs, personal family photos, and more. In a heartbreaking example, CPR uncovered 50,000 private messages from a popular dating app.
“In this research, we show how easy it is to locate critical datasets and resources that are open in the cloud to anyone who can simply browse to them,” said Lotem Finkelsteen, head of Threat Intelligence and Research. at CPR.
Finkelsteen added that malicious actors can access exposed mobile app databases with a few simple steps that involve searching public file repositories (e.g. VirusTotal) for mobile apps that use cloud storage services. “Everything we found is available to everyone. Ultimately, with this research, we prove how easy it is for a data breach or abuse to occur.”
At this time, CPR isn’t revealing the names of the mobile apps in question, but here’s a small sample of the more than 2,000 platforms that exposed its users during the investigation period:
- Department store app, one of the largest chains in South America (over 10 million downloads) — Exposed Data: API Gateway Credentials and API Key
- Race tracking app (over 100,000 downloads) — Exposed Data: GPS coordinates of users and health metrics like heart rate
- Dating app for people with disabilities (over 10,000 downloads) — Exposed data: 50,000 private messages in a dating app’s open database
- Logo maker app (over 10 million downloads) — Exposed data: 130,000 usernames, emails and passwords
- Social audio platform application allowing users to share and listen to podcasts (over 5 million downloads) — Exposed Data: bank details, location, phone numbers, chat messages, user purchase history, etc.
- Accounting app (over a million downloads) — Exposed Data: 280,000 phone numbers associated with at least 80,000 business names, addresses, bank balances, cash balances, bill statements and emails
This study reveals a glaring security problem: mobile applications are too careless with the personal data of their users. The CPR also called out cloud security developers, concluding that they need to take steps to add better protections to their services.