Thousands of mobile app cloud databases left exposed

Read time 2min 10sec

Thousands of databases stored in the cloud have been found to be unprotected and exposed to anyone with a browser.

This was revealed by Check Point Research (CPR), which found 2113 mobile applications whose databases were unprotected and exposed throughout the course of a three-month research study. 

These mobile applications ranged from 10 000 or more downloads to 10 million or more downloads, and sensitive data exposed included personal family photos, token IDs on a healthcare applications, data from crypto-currency exchange platforms and more.

Lotem Finkelsteen, head of Threat Intelligence and Research at Check Point Software, says his team found the exposed databases by using Google's free online tool VirusTotal, which analyses files and URLs to detect viruses, trojans, and other forms of malware.

CPR says in a blog post that it found a considerable amount of unprotected databases by simply creating a query in Virus Total.

The amount of data that sits openly and that is available to anyone on the cloud is crazy. It is much easier to breach than we think.

Lotem Finkelsteen, Check Point Software.

”It details several examples without mentioning the names of the mobile apps that had left their cloud databases exposed.

In one example, CPR found over 50 000 private messages exposed through a popular dating application. In another, a running tracker application with over 100 000 downloads, exposed users GPS coordinates and other health parameters, such as heart rate. 

The researchers show how extremely easy it is to locate data sets and critical resources of applications by querying public repositories, and say the industry needs to exercise better cloud security practices.

“Ultimately, with this research we prove how easy it is for a data breach or exploitation to occur," says Finkelsteen. "The amount of data that sits openly and that is available to anyone on the cloud is crazy. It is much easier to breach than we think.”

There are several things cloud security developers can do to better protect their applications, says CPR. With AWS, the company advises to use AWS CloudGuard S3 Bucket Security, and enforce the specific rule, “Ensure S3 buckets are not publicly accessible” or Rule ID: D9.AWS.NET.06.

With Google Cloud Platform, they need to ensure that Cloud Storage DB is not anonymously or publicly accessible, which is Rule ID: D9.GCP.IAM.09.

For Microsoft Azure, they must ensure default network access rule for Storage Accounts is set to deny, using rule ID: D9.AZU.NET.24.

See also