News

Report: Misconfigured Firebase Backends Causing Thousands of iOS and Android Apps to Leak User Data

Security researchers say some 2,200 unsecured Firebase databases are causing over 3,000 iOS and Android apps to leak user data, leaving over 100 million records exposed.

The records are reported to include plaintext passwords, health information, GPS location data and more.

AppleInsider:

According to a new report from the mobile app security firm Appthority, called the Q2 2018 Enterprise Mobile Threat Report, the issue is caused by a new variant of what is dubbed the “HospitalGown vulnerability.” HospitalGown, cheekily named because it deals with data “leaking through backend data stores,” was first pinpointed by the Appthority Mobile Threat Team in 2017. 

Appthority says the problem is occurring when app developers do not require authentication for Google Firebase cloud databases. Authentication is not turned on by default when developers use the development tool.

Of 1,275 iOS app using a Firebase database, 600 were found to be vulnerable. Overall, over 3,000 iOS and Android apps were found to be leaking data from 2,271 misconfigured databases.

And among the data leaked are 2.6 million plain text passwords and user IDs, more than 4 million Protected Health Information records, and 50,000 financial records. 

Firebase is a Google product that offers backend tools for mobile app developers. Appthority checked 2.7 million iOS and Android apps to identify 28,502 mobile apps — 27,227 Android and 1,275 iOS — that used Firebase backends to store data.

Google has been notified of the issue. Meanwhile, Appthority recommends developers take steps to protect their users’ data more effectively.

“You’ll need to perform a thorough security review of internal apps developed by third parties, in-house developed apps, and public apps available for employee productivity,” Appthority says in the report. “You may have difficulty achieving visibility into data exposed by this threat in EMM published enterprise and public apps without an automated MTD solution focused on app threats and backend vulnerabilities, such as Appthority Mobile Threat Protection.”

Chris Hauk

Chris is a Senior Editor at Mactrast. He lives somewhere in the deep Southern part of America, and yes, he has to pump in both sunshine and the Internet.