62% of Enterprises Exposed to Sensitive Data Loss via Firebase Vulnerability

Appthority discovers new HospitalGown threat variant exposing private data from 3,000 mobile apps in enterprises

SAN FRANCISCO--()--Today, Appthority, the global leader in enterprise mobile threat protection, published research on its discovery of a new HospitalGown threat variant that occurs when app developers fail to require authentication to Google Firebase databases.

Appthority security researchers discovered the HospitalGown vulnerability in 2017 which leads to data exposures, not due to any code in the app, but to the app developers’ failure to properly secure backend data stores (hence the name). The new Firebase variant exposes large amounts of mobile app-related data stored in unsecured Firebase databases.

Exposed data from the Firebase vulnerability includes personally identifiable information (PII), private health information (PHI), plaintext passwords, social media account and cryptocurrency exchange private access tokens, financial transactions, vehicle license plate and registration numbers, and more data leaking from vulnerable apps. To date, Appthority is the only mobile security vendor researching and protecting against these large scale back-end data exposures.

“The Firebase vulnerability is a significant and critical mobile vulnerability exposing vast amounts of sensitive data,” said Seth Hardy, Appthority Director of Security Research. “The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security. To keep their data safe and stay in compliance with regulations like GDPR, HIPAA and PCI, they need to be investing in deep app analysis that detects these types of vulnerabilities.”

Key findings from Appthority’s Enterprise Mobile Threat Research revealed:

  • 3,000 mobile iOS and Android apps – over 620 million Android downloads, alone — are leaking data from 2,300 unsecured Firebase databases
  • Multiple app categories are impacted including tools, productivity, health and fitness, communication, cryptocurrency, finance and business apps
  • Most enterprises are impacted: 62% of enterprises have at least one vulnerable app in their mobile environment
  • More than 100 million records are exposed, including:
    • 2.6 million plain text passwords and user IDs
    • 4 million+ PHI (Protected Health Information) records (chat messages and prescription details)
    • 25 million GPS location records
    • 50 thousand financial records including banking, payment and Bitcoin transactions
    • 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens

The full enterprise mobile threat research report, entitled “Firebase Vulnerability: Exposing Sensitive Data via Thousands of Mobile Apps,” can be downloaded here.

About Appthority Mobile Threat Research

Appthority’s Mobile Threat Team (MTT) monitors and investigates mobile risks that pose a direct threat to mobile enterprises and delivers unique, accurate and practical perspectives that help our enterprise audience understand the most impactful threats and address mobile risks.

About Appthority

Appthority is a pioneer in enterprise mobile security and the leader in the Mobile Threat Defense category. The comprehensive Appthority Mobile Threat Protection (MTP) solution helps customers keep their data private and secure from mobile device, app and network threats. More Fortune 1000 companies trust Appthority to secure their enterprises from mobile threats because Appthority delivers best-in-class mobile threat protection and unparalleled enterprise visibility and control of mobile risks. With Appthority, security teams are informed, employees are productive and enterprise data is kept private and secure. Learn more at www.appthority.com.

Contacts

Finn Partners for Appthority
Dean Fisk, (415) 905-4007
appthority@finnpartners.com

Release Summary

Appthority publishes research on new threat discovery that occurs when app developers fail to require authentication to Google Firebase databases.

Contacts

Finn Partners for Appthority
Dean Fisk, (415) 905-4007
appthority@finnpartners.com