A single software bug in a popular push notification SDK exposed personal data from over 50 million Android app installs-including 30 million cryptocurrency wallets-before it was patched.