It has been reported that security researchers have discovered that personal data of more than 100 million Android users has been exposed due to various misconfigurations of cloud services. The data was found in unprotected real-time databases used by 23 apps with download counts ranging from 10,000 to 10 million and also includes internal developer resources. While misconfigured real-time databases are not a surprise, the discovery shows that some Android developers do not follow basic security practices to restrict access to the app’s database.
The amount of mobile apps with misconfiguration issues shows that this is a widespread problem that can be easily leveraged for malicious purposes. App developers use real-time databases to store data in the cloud and synchronize it in real-time with connected clients. Security researchers found that some of these databases were left unprotected and anyone could access personal information, some of it sensitive, belonging to over 100 million users.
Commenting on the news are the following cybersecurity experts:
Irfahn Khimji, country manager – Canada at Tripwire:
“Unfortunately, misconfigurations like these have become all too common. Exposing sensitive data does not require a sophisticated vulnerability, rather, a simple misconfiguration can lead to data being exposed. The rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone. A misconfigured database on an internal network might not be noticed, and if noticed might not go public, but the stakes are higher when organizational data storage is directly connected to the Internet. Organizations should identify processes for securely configuring all systems, including cloud-based storage, such as Azure Blob Storage, Amazon S3 Buckets, and Elasticsearch. Once a process is in place, the systems must be monitored for changes to their configurations as change detection is key for securing an organizations cloud storage and preventing inadvertent exposure. These are solvable problems, and tools exist today to help.”
Trevor Morgan, product manager at comforte AG:
“Unfortunately, we come across another misconfigured cloud service leading to the exposure of millions of records. Data breaches from cloud computing often happen because sensitive data is stored and processed in clear text form. While cloud service providers offer data security capabilities, those capabilities are usually rather basic, and the particular business is still the responsible caretaker, especially in the eyes of regulators. The increased attack surface of cloud environments makes for a potentially weak overall security posture. In addition, with a hybrid and multi cloud strategy, data becomes dispersed across multiple clouds as well as their own datacenters. Data security becomes even more difficult to manage as cloud infrastructure complexity grows.
Combined with a modern DevOps culture, misconfigurations and general security requirements that are overlooked or flat-out ignored are becoming commonplace. Sensitive data is required for many business use cases – especially those that generate revenue or provide valuable analytics for key industries such as financial services, insurance, and healthcare. Data protection, of course, is a crucial part of the cybersecurity protection framework. Data protection that focuses on the data itself (data-centric security) allows sensitive data to remain protected, even when other security layers in an organization’s cybersecurity framework fail, or are bypassed. In addition it enables processing and analytics on protected data, drastically reducing exposure of sensitive data. Companies today that are using technologies such as tokenization and format-preserving encryption are in a better position to ensure that an incident doesn’t have to become a data breach.”