Mobile applications with tens of millions of downloads are leaking sensitive user data due to the misconfiguration of back-end cloud databases, according to Check Point.
The security vendor’s three-month study began with a simple query on VirusTotal for mobile apps listed on the malware scanning service that communicates with the Firebase cloud database.
Throughout the study, Check Point discovered 2113 mobile apps in this way that had their Firebase back-end exposed due to misconfigurations.
“While writing code, developers invest a lot of resources to harden an application against several forms of attacks. However, developers may neglect configuring the cloud database properly thus leaving real-time databases exposed, which could then result in a catastrophic breach if exploited,” the security vendor warned.
“Developers often manually change the default locked and secured configurations of security rules to run tests. If left unlocked and unprotected before releasing the application to production it leaves the database open to anyone accessing it and thus susceptible to read and write into the database.”
Check Point highlighted several culprits it discovered in this way. One was a South American e-commerce app with over 10 million downloads leaking API gateway credentials and API keys. Another was a logo design app, also with more than 10 million downloads, which exposed 130,000 usernames, emails and passwords.
Also listed were a social audio platform with over five million downloads exposing bank details, location, phone numbers and chat messages, and a popular bookkeeping app leaking 280,000 phone numbers linked to at least 80,000 company names, addresses, bank balances, cash balances, invoice counts and emails.
Check Point even found one dating app leaking 50,000 private messages sent by users.
“The variety of possible attacks is subject to the type of exposed data. It is a bottomless pit of possibilities ranging from fraud, identity theft to ransomware or even supply chain attacks,” Check Point concluded.
“Cloud misconfigurations are the consequences of lack of awareness, proper policies and security training that are further heightened and needed with the new work from home hybrid model. Bad security practices can cause extensive damage, and are yet only one simple click away from being remediated.”
The findings chime with another study out this week which revealed that 14% of Android and iOS apps using public cloud back-ends had misconfigurations that exposed users’ personal information.