passwords may be in plain sight

Your financial records, GPS locations, and passwords may be in plain sight — left unprotected because of an app you’ve installed.

Researchers at Appthority, a mobile security firm, scanned both Android and iOS mobile apps that used Firebase databases – a cloud-based backend platform for mobile and web applications, to store their users’ data. Google acquired Firebase back in 2014, so it’s found a real user base among some of the top Android developers.

According to the report, more than 2.7 million mobile apps on both iOS and Android were looked into by Appthority. Researchers found that from the 27,227 Android apps and 1,275 iOS apps storing their app’s data in Firebase’s database systems, 3,046 of these apps saved data within 2,271 unsecured databases that anyone with enough database skill could access. Out of those apps, 2,446 are on Android and the remaining 600 are iOS applications.

IMAGE: AlphaGraphicsSeattle

In total, over 100 million individual records spanning a total of over 113 gigabytes of data make up the accessible information involved in the breach. The affected Android apps were downloaded more than 620 million times from the Google Play store.

The leaked data includes: 2.6 million user IDs and passwords in plain text, 25 million stored GPS location records, 50 thousand in-app financial transaction records, and more than 4.5 million social media platform user tokens. Other data being leaked includes over 4 million PHI (Protect Health Information) records which contains private chats and prescription records.

According to the report, the vulnerable Firebase backends aren’t protected by firewalls or authentication systems so, to gain entry to these unsecured databases, a “hacker” would simply have to tack on “/.json” with a blank database name to the end of the host name (for example, “https://appname.firebaseio.com/.json”).

Researchers pointed out that they made contact with Google before releasing the report, as well as providing Google with a full list of the unsecured apps aside reaching out to the app developers themselves. While the list of apps has not been made public, they include apps in categories ranging from messaging and finance to health and travel. The companies or creators behind these affected apps are located around the world.

This incident along with countless others continues to prove that there’s a lot left to be desired from companies who store our most private, personal data.

Worth sharing? Please share on Facebook or Twitter. It helps more people see it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.