Recently, users have begun to question apps that store their private and most sensitive data. While most of them understand that this is a requirement for the app to function properly, scandals regarding the misuse of data keep popping up, each one more concerning than the last. It’s become the norm for us to second guess whether we should download an app or not.
Mashable reports that Firebase, a popular cloud-based back-end platform owned by Google, has thousands of users information stored on unsecured databases that could be accessed by anyone with relative ease.
Appthority, a mobile security company, looked into 2.7 million apps on iOS and Android. Around 3,000 of these apps stored their data on unsecured databases, leaving sensitive information up for grabs. This data includes users’ GPS locations, IDs and passwords, financial transaction records, and more. More than 100 million individual records were involved in the breach.
Appthority’s report claims that Firebase’s databases are not protected by firewall or authentication systems; in fact, a hacker would only need to add “/j.son” to the link of the database name to access the desired information.
The list of affected apps has not been released to the public, but Appthority has contacted Google and the affected apps so they could take the necessary steps in order to protect their users. The affected apps reportedly serve a variety of purposes including messaging, health, and financial advice.
Google contacted Mashable refuting Appthority’s report, claiming that they take security seriously and that the mobile security company painted the situation incorrectly.
Google takes security very, very seriously. We work hard every day to encourage developers to observe best practices. We publish a full guide on security Realtime Database data here. If developers allow public access to their database, we show a warning in the Firebase admin console that tells developers when they’ve turned off security rules impacting their Firebase databases and that they are at risk for leaking data (see screen capture attached). Back in December 2017, we sent emails to all insecure projects with directions on how to turn security rules back on.
For further reference, Appthority originally incorrectly painted the situation as a Firebase vulnerability after educational discussions with the Firebase team their press release and supporting blog post were been updated to make it clear that Firebase DOES secure data by default.”
Appthority’s study joins a long list of situations where companies appear to show little concern for the security of their users, misusing data and putting their customers in potentially dangerous situations.