Smartphones have begun – and is currently – dominating the daily lives of its users, and almost everyone needs to have some sort of handy gadget in order to be able to do tasks on the go. This is especially in the case with applications that help users with much of what they have to accomplish everyday. Unfortunately, it appears not all hit mobile apps in iOS and Android are protecting user data. In fact, it appears you’re more at risk the more you use your mobile apps. Should you continue using them? Should you stop? What’s the real deal?
If reports are to be believed, Android and iOS applications may have been leaking sensitive user data to various third-party entities. These apps aren’t just some apps, or a few hundred apps, but thousands of them – all sitting with unprotected data such as millions of financial records, GPS locations, and passwords
This is courtesy of mobile security firm Appthority, which scanned both iOS and Android mobile apps that use Firebase systems in order to store various data of their users. For those unfamiliar, Firebase is a prominent backend platform for web and mobile applications that uses the cloud to store various forms of data. Google originally acquired the company back in 2014, which helped it find a “home” in the form of a lot of Android developers.
Unfortunately, if a report is to be believed, there’s an alarming number of applications that are unprotected. Of the 2.7-million mobile apps they’ve looked into, around 1,275 iOS apps and 27,227 Android apps store user data via Firebase’s backend database systems. However, 3,046 of these programs actually put data in 2,271 unsecured database. How unsecure? Anyone can actually access them – and of these apps, 600 are iOS applications and 2,446 actually are on Android.
Perhaps what’s more alarming are the kind of data being stored “in plain sight” for everyone to see. Of these vulnerable applications, data that can be gathered included 4.5-million social media platform user tokens, over 4-million public health information records which include prescription records and private chats, 50,000 in-application transaction methods, 25-million GPS location records, and 2.6-million passwords and IDs in plain text format.
All of these data – of over 100-million users – actually take up more than 113 gigabytes of data. The Android applications involved were installed by users more than 620-million times from the popular Google Play store.
According to Appthority, the vulnerability of the backends extend to the way they can be accessed – which can be easy, given they don’t have authentication systems or firewalls. Attackers could simply just “tack on” the script “/.json” and not give the database a name and access the database. For example, one could access the database in
However, Appthority did clarify that Google was immediately notified of these vulnerabilities before even releasing their report, including the provision of Google of a list of all affected applications. Appthority also said they reached out to developers themselves. The list of applications weren’t made public, but categories included travel to finance and health. The offices of these developers are scattered all around the world, which proves that there’s a lot to be desired from companies who want to store personal data, especially the extremely private ones.
Interestingly, in an update, a Google representative explained that Google has already sent emails to all the unsecured projects tied to them on how to activate security rules. These have been sent as early as 2017. Firebase actually secures all their databases as a default setting, which means the developers may have turned off the security rules themselves.
You May Also Like: