In 2017, the Appthority Mobile Threat Team (MTT) discovered the HospitalGown vulnerability named for data leaking through backend data stores that are unsecured. Now we have discovered the Firebase vulnerability, a new variant of HospitalGown, occurs when mobile app developers fail to require authentication to a Google Firebase cloud database.
Firebase is one of the most popular backend database technologies for mobile apps but does not secure user data by default. And, it takes little effort for attackers to find open Firebase app databases and gain access to millions of private mobile data app records.
The Firebase vulnerability is a significant mobile data vulnerability which has resulted in the exposure of a wide range and large amounts of sensitive data through thousands of mobile apps.
Scope of Impact
- 3,000 mobile iOS and Android apps – over 620 million Android downloads, alone — are leaking data from 2,300 unsecured Firebase databases
- Multiple app categories are impacted including tools, productivity, health and fitness, communication, finance and business apps
- Most enterprises are impacted: 62% of enterprises have at least one vulnerable app in their mobile environment
Full research findings on HospitalGown – Firebase will be released in an upcoming Appthority Mobile Threat Report.
Appthority customers already have advanced detection available to identify iOS and Android apps vulnerable to the HospitalGown – Firebase threat. Appthority is the only mobile security vendor researching and protecting against these large scale back-end data exposures.
Appthority recommends enterprises take the following priority actions:
- Understand your full exposure to this vulnerability from apps on COPE and BYO devices by activating the HospitalGown – Firebase Threat Indicator in your organization’s Appthority MTP portal (directions below)
- Secure your company branded consumer public apps
- Secure your EMM published applications (internal and public)
- Educate your employees on security risks of affected personally downloaded apps on employee devices (Employee email template available here)
Step-by-step instructions on how to enable the HospitalGown – Firebase Threat Indicator in the Appthority MTP Manager portal can be found here.
Contact your Appthority account team directly or firstname.lastname@example.org if you have questions.