Some Android app APIs have been putting users at risk

Patrick Devaney
Dec 20, 2022
Antivirus
|
7

Rather worryingly, an analysis of 600 Android apps, which are available on the Google Play Store has found that around 50% of all the apps examined were leaking the API keys of three of the most popular email marketing service apps.

An API or application programming interface is what allows apps and services to better integrate their work with third-party sites and services so that they can work seamlessly together with all the work going on in the background.  Unfortunately, here, the types of apps that are leaking are some of the worst you could imagine for this type of breach to occur with. They are the types of apps that online companies and services use to collect customer contact details and manage outbound marketing campaigns meaning there is a lot of vulnerable data flowing through the API keys.

The analysis by contextual AI cybersecurity specialists CloudSEK used the company’s BeVigil security search engine to investigate the 600 Google Play Store apps. It found that Mailchimp, Sendgrid, and Mailgun API keys were being leaked by roughly half of all the apps, allowing sensitive data to pass to malicious third parties that could see user security compromised and place them more at risk of being targeted by online scammers.

To drive home the seriousness of the issue, the affected apps have already been downloaded 54 million, with each of them now at risk of having any and all details leaked via the API keys. According to CloudSek, the breach could enable malicious actors to read emails, steal customer data, access email lists, and even run email marketing campaigns as representatives of the compromised businesses. This last one means that users who are exposed in this way will be particularly vulnerable to sophisticated phishing campaigns that would be incredibly difficult to spot.

It is shocking, to say the least, that such a huge number of vulnerable apps have made it onto the Google Play Store and that prominent services are seeing their APIs so easily breached in this manner. As ever, with phishing scams on the rise these days, we will point you to this helpful infographic for spotting scam emails and phishing scams, which is full of tips to help you stay safe from these popular types of scams.

Summary
Article Name
Some Android app APIs have been putting users at risk
Description
A cybersecurity analysis has shown that hundreds of apps available on the Google Play Store may be sharing sensitive user information with malicious third parties.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Mystique said on December 21, 2022 at 10:34 am
    Reply

    I have glossed over this article but what I can say is that if you are able to remove and patch analytics that would be a good start. If you don’t know how I guess you could use things like Lucky Patcher.
    It doesn’t matter if you pay for the app or not there is always a ton of “analytics” and “Telemetry” attached to these apps. There is no accountability or policing which is basically the same as the Chrome Webstore. Atrocious!

    1. plusminus_ said on December 22, 2022 at 11:14 pm
      Reply

      I tend to disable certain services (such as AppMeasurement, things with Analytics in their name) within apps using MyAndroidTools (1.6.0, it’s an old version but working fine for me on Android 11)

  2. Seeprime said on December 20, 2022 at 8:54 pm
    Reply

    Is a list of all the affected apps available online? If so, would some kind person post it here? Thanks.

    1. android said on December 21, 2022 at 1:21 pm
      Reply

      com.android.chrome
      com.android.vending

  3. Paul(us) said on December 20, 2022 at 5:08 pm
    Reply

    Patrick, your article says ” some aps” but its 54 million aps or around 50% of all the apps and that is a bit more than some! :-)

    1. Thane said on December 20, 2022 at 6:03 pm
      Reply

      To be fair, they checked 600 apps and 50% of those were leaking. That’s a pretty small subset of 54 million, but you’re probably right that most of them are leaking.

      Is there a list/way to check one’s apps?

  4. Tachy said on December 20, 2022 at 4:11 pm
    Reply

    Why would you be shocked that these devices are doing exactly what they are designed to do?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.