100 Million Android Users Hit by Cloud Leaks

As reported by The Threat Post, Check Point Research has found 23 Android mobile apps, with a total of more than 100 million Android users, that are leaking personal data due to cloud server “misconfigurations” (my emphasis. As most of the developers have not fixed their “misconfiguration” after being notified, it is possible the more accurate term is “malicious sloppiness”).

These apps would require the user to provide some information – for example, a taxi app had chats between the driver and client, a horoscope app requested significant personal data from users in order to read their futures).

Due to the server misconfigurations, it was possible for just about anyone to access the personal information provided by the users in real-time. This creates an environment in which the server can be weaponized to inject data from the criminal hacker into the data stream between the user and service. For example, fake chat messages, fake “I’ll pick you up at 4th and Holland in 5 minutes” chats, phishing links, data harvesting, and more – all within a legitimate app.

Imperva Research Labs reports that data-leakage events have increased over 500% in the past year.

What To Do

There is little the end-user can do, as the data is on a server that you and I have no control over. However, there are fast and easy steps we can all do to help prevent our data leaking from cloud servers:

  • Only install those apps that are needed. Review every app on your phone and tablet. If it is not serving a necessary purpose, remove it.
  • If an app requires Security or Challenge Questions from you, provide false answers. For example, if a security question is What city were you born in? Instead of answering with the actual city, answer with something like Stairs. Should criminals access your data, such answers will provide no benefit to them.
  • If an app or cloud service offers Two-Factor Authentication, use it. This provides a belt-and-suspender approach to your data security.
  • If an app or cloud service does not offer Two-Factor Authentication, find an alternative that does, or failing that, contact the developer to make known how important such security is to you.
  • Configure your mobile device and app permissions such that apps can only access your location, microphone, screen, camera, etc. when you approve of the access, not all of the time.
  • Make a note on your calendar to check out https://haveibeenpwned.com on a monthly basis. This site maintains a database of breached internet accounts. If one of your accounts has been breached, this site will let you know, so that you may be able to take action.

Next Steps

Cybersecurity and internet privacy is a constant cat-and-mouse game. But once you know how to play the game, it is far easier than stressing over the possibilities, and can even be fun!

For over eight years Practical Paranoia books and workshops have brought cybersecurity and internet privacy to colleges, high schools, trade schools, government facilities, and most importantly–the home and business user.

Guaranteed to be the fastest, easiest, and most comprehensive guides and workshops of their kind.

Visit https://thepracticalparanoid.com to learn how you can secure your, your family, and your business information and privacy in just a few hours, and for 1/10 the cost of hiring a cybersecurity professional.