Media Coverage Archive

TechTarget | BY Madelyn Bacon
Friday | June 22, 2018

Android and iOS mobile apps that use unprotected Firebase databases leaked over 100 million records that include PHI, financial records, and authentication information.

Thousands of mobile applications are leaking personally identifiable information from unprotected Firebase databases.

According to research from application security company Appthority, 3,000 mobile iOS and Android apps are leaking 100 million exposed records of user data. The records include 2.6 million plain textpasswords and user IDs, at least 4 million records with protected health  information (PHI), 25 million GPS location records, 50 thousand financial records, and at least 4.5 million Facebook, LinkedIn, Firebase and corporate datastore user tokens.

These exposures happen “when app developers fail to require authentication to a Google Firebase cloud database,” according to the report from Appthority, which also notes that Firebase is one of the 10 most popular datastores for mobile apps with over 53,000 apps using it in 2017.

“The challenge for app developers is that Firebase does not provide adequate security capabilities out of the box. The only security feature available to developers is authentication and rule-basedauthorization,” Appthority explained in its report. “However, Firebase does not secure user data by default nor are third-party tools available to provide encryption for it.”

The report also noted that it would be easy for hackers to find unprotected Firebase databases and gain access to private data records.

“The result is a trove of data that is open to the public internet unless the developer explicitly imposes user authentication on each individual table or directory,” Appthority explained in the report. “Even when developers do implement authentication, they may not secure every database table.”

As a result, the Appthority researchers found that over 113 GB of data has been exposed through the 3,000 apps. They also found that 62% of enterprises are using at least one vulnerable app, spanning a variety of industries across the globe including banking, telecoms, postal services,ride sharing companies, hospitality and education. The apps that leaked the most data were health and fitness apps.

“Medical information can be worth ten times more than credit card numbers on the deep web,” the report said. “Fraudsters can use this data to create fake IDs to buy medical equipment or drugs, or combine a patient number with a false provider number and file fictional claims with insurers.

“It’s misconfiguration and mismanagement of the backend infrastructure opening up these vulnerabilities.
– Seth Hardy, Director of Security Research, Appthority

Appthority said it notified Google of this issue with apps hosted on unprotected Firebase databases, but Seth Hardy, Appthority’s director of security research, doesn’t think the blame falls entirely to Google — despite Google not making the security features that would prevent these leaks set to default.

“They’re not directly responsible,” he told SearchSecurity. “When you make a tool and try to make it easy to use, then you’re probably not going to want to add that setting by default.”

Hardy noted that it’s also not the responsibility of the user to make sure the apps are secure.

“It’s definitely a developer issue,” he said. “It’s misconfiguration and mismanagement of the backend infrastructure opening up these vulnerabilities.”

The solution, according to Hardy, lies with the developers.

“It’s really just a matter of trying to educate developers in general about secure coding practices, making sure that they’re implemented in all parts of the software development lifecycle and giving users and enterprises the tools to verify whether these apps are implementing proper security controls on their data.”

Read the original article on TechTarget here.