Cloud-based applications uniquely demand architecture and more strict security configuration, on which developers might be loose the focus. Insufficient security setup and direct access to the database on the backend have become a prominent factor of a massive data breach. Often hackers will target your database for malicious attacks, trying to steal or modify sensitive pieces of information.

In June 2018, thousands of mobile applications are leaking 100 million records because of insufficient security configuration. Mobile Threat Team (MTT) researchers from Appthority firm discovered that these mobile applications developers’ fail to secure their back-end Firebase endpoints properly. The Firebase stores data in JSON format and synced it in the real-time with all connected mobile clients.

The Google’s Firebase – a Backend-as-a-Service

Google’s Firebase service is top ten most popular (because it is real-time) cloud database hosted and Backend-as-a-Service (BaaS) option for developers to store user authentication details and other data used by the mobile app. Firebase equips with client library to ease integration with Android, iOS, Javascript, Java, Objective-C, Swift, and Node-js. It is accessible through a REST API enable HTTP connection for receiving any push notification from a server. After being acquired by Google in October 2014, the number of mobile apps using Firebase databases has risen significantly.

  • 2015 – 2016, apps using Firebase rose 2,112%, while the vulnerable apps rose 1,225%.
  • 2016 – 2017, apps using Firebase rose 271%, while vulnerable apps rose 74%.

However, Google’s Firebase services do not provide security access-control mechanism out of the box. It also does not offer security check-up list report to identify potential attack vector. The developers must provide their explicit user authentication for all stored database rows and tables to protect their databases from unauthorized access. Without the additional security setup, an attacker can easily find open Firebase app databases and access stored sensitive data use by the mobile app. Affect both Android and iOS apps.

The Attack Vector

It is easy for attackers to find open Firebase app database. The attackers can observe the network connections open by the apps to “firebaseio.com” servers. Firebase offers app developers an API server, as shown below, to access their databases hosted with the service. Attackers can gain access to unprotected data by just adding “/.json” with a blank database name at the end of the hostname. No special tools required for this process to success, only cut-and-paste on the conventional browser.

After applying this threat model (payload to access), to over 2.7 million Android and iOS apps that connect to “*.firebaseio.com” Firebase database hosts resulted from 3,046 (10/69%) apps for potential breach caused by improperly authentication setup, similar attack vector withHospitalGown(2017). The improper authentication back-end security setup causes massive leaks for over 113 GB of data from more than 3,046 apps (2,446 or 80.3% for Android and 600 or 19.7% for iOS) from 2,300 different databases with more than 100 million records publicly accessible to anyone. On Android apps alone, it is showing over 620 million times download.

The Impact

Affected mobile applications fit various categories such as telecommunication, cryptocurrency, finance services, postal services, educational institutions, hotels, productivity, health, fitness, tools and more. The report reveals that 975 (40%) of the vulnerable apps were business-related, installed in active customer environments, leaking corporate private keys and access credentials (potentially allowing attackers to exfiltrate sensitive intellectual property), private business conversations, and sales information.

On their report, MTT researchers also provided a summary analysis as below:

  • 2.6 million plaintext (yes, you read right) passwords and user login IDs.
  • 4 million+ PHI (Protected Health Information) records (chat messages and prescription details).
  • 25 million GPS location records.
  • 50,000 financial records including banking, payment and cryptocurrency transactions.
  • 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens.

Based on the above summary analysis, we can see about three data type group are under this vulnerability. The first group is Regulated data, which is a highly sensitive private information subject to regulatory requirements such as HIPAA, PCI, and GDPR. Data under this group are medical information, raw personal data (full name, email address, phone numbers, geolocations, including Facebook OAuth Tokens), vehicle license plate numbers, and credit card numbers.

The second group is Personal data, which may not be subject to regulatory requirements, but potentially expose private or financial information. Data under this group are private messages from networking app, voice recordings, and a cryptocurrency wallet app leaked transaction history and the total amount of cryptocurrency that users own.

Moreover, the last group is Sensitive Enterprise data, which can potentially cause the organization to lose the Intellectual Property (IP), damaging their viability and competitiveness. There are 975 vulnerable apps under this last data type group or around 40%.

To date, it is shown that apps with the open (accessible) backend Firebase database servers are frequent and severe data leakage threat, exposing many types of Regulated, Personal, and Sensitive Enterprise data from a considerable number of Android and iOS applications and millions of users. The cause? We might say, the developers. How to mitigate? It is now a matter of trying to educate developers in general about DevSecOps and secure coding practices. With the help of the correct tools, enterprise and users can also be taking part to ensure this practice is following.