Check Point research of 23 Android applications showed that they put users’ data at risk due to trivial mistakes made by developers when integrating 3rd party cloud services into applications. These recent Google Play apps account for over 100 million downloads.

Among the most common flaws, the researchers noted the lack of password protection for the real-time database on the server side, as well as the keys and tokens embedded in the code that grant access to the cloud storage or push notification service.

The following information was found in databases unprotected from unauthorized access:

• usernames, unencrypted passwords, email addresses, phone numbers;

• profile images, chat messages, including private and group chats;

• browser history;

• device ID, Facebook id, nickname;

• SMS messages, emails, PIN-codes;

• user location, screenshots;

• billing reports, invoices, prescriptions for medicines; users documents, audio recordings, photo albums;

• logs, backups, site data, test apps;

• requests to cancel subscription, receive push notifications.

The Check Point report mentions only five names of the analyzed Android applications: Logo Maker, Astro Guru, T'Leva, Screen Recorder, and iFax.

Source: anti-malware.ru