Thousands of mobile applications are leaking personally identifiable information from unprotected Firebase databases.
According to research from application security company Appthority, 3,000 mobile iOS and Android apps leaked -- and are still leaking -- 100 million exposed records of user data. The records include 2.6 million plain text passwords and user IDs; at least 4 million records with protected health information (PHI); 25 million GPS location records; 50,000 financial records; and at least 4.5 million Facebook, LinkedIn, Firebase and corporate data store user tokens.
These exposures happen "when app developers fail to require authentication to a Google Firebase cloud database," according to the Appthority report. The report also noted that Firebase is one of the 10 most popular data stores for mobile apps, as over 53,000 apps used it in 2017.
"The challenge for app developers is that Firebase does not provide adequate security capabilities out of the box. The only security feature available to developers is authentication and rule-based authorization," Appthority explained in its report. "However, Firebase does not secure user data by default nor are third-party tools available to provide encryption for it."
The report also noted it would be easy for hackers to find unprotected Firebase databases and gain access to private data records.
"The result is a trove of data that is open to the public internet unless the developer explicitly imposes user authentication on each individual table or directory," Appthority explained in the report. "Even when developers do implement authentication, they may not secure every database table."
As a result, the Appthority researchers found over 113 GB of data has been exposed through the 3,000 apps. They also found 62% of enterprises are using at least one vulnerable app, spanning a variety of industries across the globe, including banking, telecoms, postal services, ride-sharing companies, hospitality and education. The apps that leaked the most data were health and fitness apps.
"Medical information can be worth ten times more than credit card numbers on the deep web," the report said. "Fraudsters can use this data to create fake IDs to buy medical equipment or drugs, or combine a patient number with a false provider number and file fictional claims with insurers."
Seth Hardydirector of security research, Appthority
Appthority said it notified Google of this issue with apps hosted on unprotected Firebase databases, but Seth Hardy, Appthority's director of security research, said he doesn't think the blame falls entirely on Google -- despite Google not setting the security features that would prevent these leaks to default.
"They're not directly responsible," he said. "When you make a tool and try to make it easy to use, then you're probably not going to want to add that setting by default."
Hardy noted it's also not the responsibility of the user to make sure the apps are secure.
"It's definitely a developer issue," he said. "It's misconfiguration and mismanagement of the back-end infrastructure opening up these vulnerabilities."
The solution, according to Hardy, lies with the developers.
"It's really just a matter of trying to educate developers in general about secure coding practices, making sure that they're implemented in all parts of the software development lifecycle and giving users and enterprises the tools to verify whether these apps are implementing proper security controls on their data."