Security researchers discovered that personal data of more than 100 million Android users has been exposed due to various misconfigurations of cloud services.
The data was found in unprotected real-time databases used by 23 apps with download counts ranging from 10,000 to 10 million and also includes internal developer resources.
Comments by: Jonathan Knudsen, Senior Security Strategist, Synopsys Software Integrity Group
The recent research uncovering widespread misconfigurations in both the apps themselves and the databases where app data is stored isn’t surprising. And yet, the fact that users’ names, email addresses, birth dates, messaging data, location, passwords, payment information, and more is exposed is highly worrisome. The best way to safeguard security is for app developers to use a Secure Development Life Cycle, in which security is part of every phase of development, from design through implementation, testing, and maintenance.
In addition to misconfiguration issues, a highly important — and often neglected — part of secure development which impacts user data and privacy is managing the use of open source components. As highlighted in the recent Synopsys CyRC report, ‘Peril in a Pandemic‘, almost two-thirds of the most popular apps in the Play Store contain vulnerabilities from open source components. Out of those, 94% of the vulnerabilities have publicly documented fixes, meaning the vulnerabilities can be eliminated if the app developers update the app to use the latest versions of the open source components.