Experienced developers who use the cloud to create mobile apps typically try to harden their apps to protect them against different types of attack. But one aspect that sometimes gets ignored in the security protection is the cloud database behind an app. Such databases need to be secured to guard against unwanted access. And that’s not always the case, according to cyber threat intelligence provider Check Point Research.
In a new report released on Tuesday, Check Point said it discovered thousands of mobile apps that left data exposed. Looking at apps that use the cloud-hosted Firebase database, Check Point found 2,113 different ones in which the backend data was unprotected and accessible to hackers. Some of the exposed information included chat messages in gaming apps, personal files such as family photos, token IDs for healthcare apps and data from cryptocurrency exchange platforms.
SEE: Your COVID-19 digital passport might be a security risk (TechRepublic)
For its research, Check Point ran a query at the VirusTotal service, which allows you to submit files and apps to see if they contain any malicious elements. The service also lets you search for unprotected resources, such online databases. Through its query, Check Point researchers found unsecure databases using Firebase.
In one example, an e-commerce app had mistakenly exposed its API gateway credentials and API keys, all of which were publicly accessible. In another case, a fitness app revealed the GPS coordinates and health information of its users.
A dating app exposed more than 50,000 private messages of its customers. An app used to design logos and graphics revealed the usernames, passwords and email addresses of 130,000 users. An app for a social audio platform exposed the bank details, phone numbers and chat messages for users.
An accounting app for SMBs revealed 280,000 phone numbers associated with at least 80,000 company names and addresses. And a PDF reader app exposed private keys that could potentially help a hacker connect to the company’s VPN network.
“Cloud misconfigurations are the consequences of lack of awareness, proper policies, and security training that are further heightened and needed with the new work from home hybrid model,” Check Point said in its report. “Bad security practices can cause extensive damage, and is yet only one simple click away from being remediated.”
Many mobile apps in development are uploaded to platforms like VirusTotal, according to Check Point. Developers do so because they want to make sure their apps won’t get flagged as malicious. Among all the apps uploaded to VirusTotal, more than 2,000 of them, or around 5%, were caught with databases open and accessible.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Searching for unprotected apps and databases through the VirusTotal site as Check Point did is not an easy process. Doing so requires a paid and expensive VirusTotal VT Enterprise account, not something the average person would have. But there are other ways to find the exposed data.
“In this report, we treat VirusTotal only as centralized storage of the mobile applications which allows us to easily operate with a lot of applications and gather statistics,” said Alexandra Gofman, security researcher for Check Point. “The thousands of databases that expose sensitive data are the cloud databases that are used by mobile applications themselves. So, having a specific application, from VirusTotal, or Google Play Store, or any third-party store, any unskilled person can check if it uses Firebase cloud database and easily access all the data if the database was not properly secured.”
SEE: 2021 mobile malware evolution: Fewer attacks, escalating dangers (TechRepublic)
To help developers who use cloud-based services make sure that their databases are hardened, Check Point offers the following tips:
- Amazon Web Services. To adhere to AWS CloudGuard S3 Bucket Security, follow the specific rule for “Ensure S3 buckets are not publicly accessible.”
- Google Cloud Platform. Ensure that your cloud storage database is not anonymously or publicly accessible by adhering to a specific rule in Google’s knowledge base.
- Microsoft Azure. Ensure that the default network access rule for Storage Accounts is set to deny Rule ID.