Developers Using Unprotected Databases Exposing Millions of Passwords

Thousands of Android and iPhone mobile apps use the Firebase database.  The database runs in the cloud and, apparently, by default has no security.

The net effect of this is that 100 million records, or more, are exposed for anyone to capture.

Firebase, a database run by Google, is very popular with Apple and Android developers.  It is popular because it allows for synchronizing data automatically across devices.

The data stored includes userids and passwords and even banking records, all unencrypted unless the developers protected the data themselves.

Researchers discovered 3,000 apps leaking 2,300 databases with over 100 million records or 113 gigabytes.

The vulnerable Android apps, which are the majority of the 3,000 apps, were downloaded 620 million times, so this is a mainstream problem.

Developers are responsible for protecting the data that they collect and users count on them to do that.

So what are you to do?

First, if you are a developer, you need to consider security when you design applications.  If you can’t figure out whether the data you are storing is secure, you should not be in the development business.

Unfortunately, as an end user, you don’t really know whether the people who developed the app that you downloaded is secure. 

You can do research on the apps, but until this security flaw was announced, research would not have told you there was a problem.

The only other alternative is to be very selective about what apps you download.  That certainly is not a great answer either.

You also can be selective about what data you give the apps, but if, as some of these are, health data apps, and you don’t give the app your health data, what good is it?

Ultimately, the responsibility for this particular mess falls, for the most part, on the development community, so folks, you need to up your game.  Just my two cents.

Information for this post came from The Hacker News.

Leave a Reply

Your email address will not be published. Required fields are marked *