Thousands of mobile applications are leaking personally identifiable information from .

According to research from application company Appthority, 3,000 mobile iOS and Android apps are leaking exposed of user . The records include 2.6 million

plain text
passwords and user IDs, at least 4 million records with protected

health  information
(PHI), 25 million GPS location records, 50 thousand financial records, and at least 4.5 million Facebook, LinkedIn, Firebase and corporate datastore user tokens.

These exposures happen “when app developers fail to require authentication to a Google Firebase cloud database,” according to the report from Appthority, which also notes that Firebase is one of the 10 most popular datastores for mobile apps with over 53,000 apps using it in 2017.

“The challenge for app developers is that Firebase does not provide adequate security capabilities out of the box. The only security feature available to developers is authentication and

authorization,” Appthority explained in its report. “However, Firebase does not secure user data by default nor are third-party tools available to provide encryption for it.”

The report also noted that it would be easy for hackers to find unprotected Firebase databases and gain access to private data records.

“The result is a trove of data that is open to the public internet unless the developer explicitly imposes user authentication on each individual table or directory,” Appthority explained in the report. “Even when developers do implement authentication, they may not secure every database table.”

As a result, the Appthority researchers found that over 113 GB of data has been exposed through the 3,000 apps. They also found that 62% of enterprises are using at least one vulnerable app, spanning a variety of industries across the globe including banking, telecoms, postal services,

ride sharing
companies, hospitality

education. The apps that leaked the most data were health and fitness apps.

“Medical information can be worth ten times more than credit card numbers on the deep web,” the report said. “Fraudsters can use this data to create IDs to buy medical equipment or drugs, or combine a patient number with a false provider number and file fictional claims with insurers.”

It’s misconfiguration and mismanagement of the backend opening up these vulnerabilities.
Seth HardyDirector of Security Research, Appthority

Appthority said it notified Google of this issue with apps hosted on unprotected Firebase databases, but Seth Hardy, Appthority’s director of security research, doesn’t think the blame falls entirely to Google — despite Google not making the security features that would prevent these leaks set to default.

“They’re not directly responsible,” he told SearchSecurity. “When you make a tool and try to make it easy to use, then you’re probably not going to want to add that setting by default.”

Hardy noted that it’s also not the responsibility of the user to make sure the apps are secure.

“It’s definitely a developer issue,” he said. “It’s misconfiguration and mismanagement of the backend infrastructure opening up these vulnerabilities.”

The solution, according to Hardy, lies with the developers.

“It’s really just a matter of trying to educate developers in general about secure coding practices, making sure that they’re implemented in all parts of the software development lifecycle and giving users and enterprises the tools to verify whether these apps are implementing proper security controls on their data.”

Source link
Based Blockchain Network


Please enter your comment!
Please enter your name here