Two Android apps developed by Codeway have exposed vast amounts of personal data due to a misconfigured Google Cloud Storage bucket. The Play Store app "Video AI Art Generator & Maker," installed over 500,000 times, leaked more than 1.5 million user images, over 385,000 videos, and millions of user-generated AI files. The app, launched on 2023-06-13, has reportedly been hidden from the Play Store following these revelations.
Data Exposure Details
The "Video AI Art Generator & Maker" app exposed over 12 TB of data, totaling 8.27 million media files. A second app from the same developer, IDMerit, compromised Know-Your-Customer (KYC) and personally identifiable information for users in the U.S. and 25 other countries, including Germany, France, China, and Brazil. Leaked data fields included full names, addresses, post codes, dates of birth, national IDs, phone numbers, genders, email addresses, and telco metadata.
Security Concerns and Recommendations
Researchers attribute many such data leaks to developers hardcoding secrets like passwords and keys into their code. Cybernews found that 72% of hundreds of Play Store apps analyzed had similar vulnerabilities. Codeway secured access to the IDMerit data on 2023-02-03. To mitigate risks, users should check a developer's portfolio, look for Google's "Verified Developer" badge, avoid apps that drain battery or offer suspiciously cheap lifetime subscriptions, and scan apps with Google Play Protect.
