Not long ago, CheckPoint Security researchers found databases exposed online that belonged to Android application developers. The databases did not require authentication or any security check to access them and in turn exposed data such as emails, location data, chat messages, photos, and passwords belonging to users of the apps. Some apps were more popular than others, including Astro Guru, T’Leva, Screen Recorder, and iFax along with nine others. Some of the apps also do not require a key when accessing the push notification manager, which could allow for malicious links to be added to push notifications. Although the apps themselves are not malicious, the security controls surrounding them are dangerously lacking.
Mobile phone users are advised to use two-factor authentication whenever available to add an extra layer of security. Trusted apps should be used when possible and it is suggested that apps that are no longer used should be deleted from the device. Think twice when inputting sensitive information on applications, since many apps store data on servers controlled by the app’s developers, and any information exposed by poor security controls on the servers can be stolen and abused by attackers.