Recently, CheckPoint Research discovered that several mobile app developers exposed the personal data of over 100 million users. This was the result of a variety of misconfigurations that exist in third-party cloud services. The exposed data could lead to cyberattacks against the users.

What has been discovered?

Researchers identified publicly available sensitive data from real-time databases in 13 Android applications. Each app has a number of downloads ranging from 10,000 to 10 million.
  • Personal data such as emails, location data, chat messages, photos, and passwords, was publicly available online.
  • The exposed information belongs to real-time databases that allow application developers to save data on the cloud. However, there was no authentication check to access them.
  • The mobile apps were identified as Astro Guru, T’Leva, Screen Recorder, and iFax, among others. Although these utility apps perform the tasks they are meant to, they inadvertently ended up exposing user data.
  • If a malicious actor gains access to such data, it could lead to service swipes, along with fraud and identity theft.

Unprotected push notifications

Along with misconfiguration issues, push notification managers in most of the apps weren’t password-protected either.
  • Most push notification services need single or multiple keys to recognize the identity of the request submitter and sometimes, these keys are just added inside the application file itself.
  • This makes it very easy for cybercriminals to take control and send notifications that could include malicious links or content to all users that appear to be sent by the developer.


This misconfiguration of real-time databases is quite common among mobile apps and affects millions of users. To stay protected, smartphone users are recommended to set up multi-factor authentication for every account and use tactical responses for account security questions. In addition, avoid entering sensitive information on unknown websites.

Cyware Publisher