News

Report: Unsecured Firebase Mobile Databases Leaking Enterprise Data

• By David Ramel
• June 21, 2018

Cloud developers still aren't securing their databases, a new report claims, resulting in the exposure of private enterprise information stored in Firebase, Google's mobile back-end platform.

Again, the blame is placed on developers who fail to properly secure databases, according to a new report from Appthority. The scenario repeats the pattern seen last year when multiple reports detailed millions of personal records exposed on unencrypted Amazon Web Services (AWS) data stores. In addition to Appthority, other security companies such as RedLock published reports on the problem.

"The exposure is not due to malicious code, but simply to developer carelessness with securing mobile app data stores," the company said of its new Firebase findings.

Appthority said it discovered more than 2,300 unsecured Firebase databases and 3,000 unique iOS and Android apps that exposed the vulnerability. The company specifically mentioned that its security report detailed examples of three apps that are no longer vulnerable.

"Enterprises are at significant risk from the Firebase vulnerability because 62 percent of enterprises have at least one vulnerable app in their mobile environment, Appthority said in a blog post. "The vulnerable apps are in multiple categories, including tools, productivity, health and fitness, communication, finance and business apps."

Specifically, more than 100 exposed records included:

• 2.6 million plain text passwords and user IDs
• 4 million-plus Protected Health Information (PHI) records (chat messages and prescription details)
• 25 million GPS location records
• 50 thousand financial records including banking, payment and Bitcoin transactions
• 4.5 million-plus Facebook, LinkedIn, Firebase and corporate data store user tokens

"For context," Appthority said, "Firebase is one of the most popular back-end database technologies for mobile apps but does not secure user data by default. Developers must secure all tables and all rows of data in order to avoid data exposure. And, unfortunately, it takes little effort for attackers to find open Firebase app databases and gain access to millions of private mobile data app records."

The company provides full details in its Appthority Mobile Threat Report, which is available for free download upon providing registration information.