3,000+ mobile apps leaking data from unsecured Firebase databases – What the Experts are Saying

Findings were reported today by HelpNet Security that  3,000+ mobile iOS and Android apps are potentially leaking PII data from unsecured Firebase databases.  So far, affected apps have been downloaded 620 million times for Android devices (the iOS download rate is unknown). Researchers with Appthority say 62% of enterprises are likely impacted by the affected tools, productivity, health and fitness, communication, cryptocurrency, finance and business apps.

Weighing in on this issue are Ryan Wilk, VP of Customer Success at NuData Security, a Mastercard Company and Samuel Bakken, Senior Product Marketing Manager at OneSpan.

Ryan Wilk, VP of Customer Success at NuData Security, a Mastercard Company

“Mobile application security is often a crucial and an open issue as the latest HospitalGown vulnerability variant shows. This vulnerability underscores why sectors such as healthcare and finance are increasingly adopting and multi-layered security strategies incorporating passive biometrics and behavioral analytics to help ensure that the previously stolen data cannot be used to for fraudulent purposes.
“This type of security enables customer verification with real-time analysis of hundreds of indicators derived from the user’s online behavior, rather than depending on possibly compromised static data such as passwords and security questions. This solution protects customers from post-breach damage.”

Samuel Bakken, Senior Product Marketing Manager at OneSpanSamuel Bakken, Senior Product Marketing Manager at OneSpan

“Mobile developers and businesses are under incredible pressure to release more features more quickly. Speedy innovation sharpens a competitive edge, but the rush to market can result in developers and line-of-business owners overlooking rather basic security practices that might prevent this sort of issue. It’s not hard to find mobile development talent but finding a mobile developer with security expertise is rare, and so, developers need all the help they can get. Fortunately, businesses can do a number of things to help get mobile developers up to speed when it comes to security — for example, secure coding training to help developers recognize and address insecure coding practices, automated security testing throughout development to catch security issues before they’re released to market, and app shielding technology for easy integration of another layer of strong mobile app security to fortify mobile apps against increasingly sophisticated attacks.
“In this case, millions of usernames and passwords were exposed for a period of time. Unfortunately, it’s really best to assume usernames and passwords are public knowledge and to focus on implementing strong, user-friendly multi-factor authentication. Fortunately, recent advancements such as adaptive authentication solutions provide strong protection against account take-over while also providing a consistent, frictionless user experience across digital channels.”

Appthority security researchers discovered the HospitalGown vulnerability in 2017 which leads to data exposures, not due to any code in the app, but to the app developers’ failure to properly secure backend data stores (hence the name).