Mobile App Data Found Exposing API’s & Data In 1,000’s Of Cloud Databases

Check Point Research found thousands of Firebase cloud databases that exposed chat messages in gaming apps, personal photos, token IDs in healthcare apps and data from cryptocurrency platforms.

One app discovered was from a large Dept Store in South America application (10+ Million Downloads) that had mistakenly exposed its API gateway credentials and API keys. CPR was able to access this data without facing any kind of protective mechanism.  Other similar apps had their data exposed for all to see:

  • Bookkeeping Application (1+ Million Downloads)
  • Dating Application (10,000+ Downloads)
  • Social Audio platform application (5+ Million Downloads)
  • Running Tracker Application (100,000+ Downloads)
  • Logo Design Application (10+ Million Downloads)
  • PDF reader Application (500,000+ Downloads)

Experts Comments

March 18, 2022
George McGregor
VP of Marketing
Approov

This is yet another example of how easy it is to steal API credentials and use them in modified apps or create scripts in order to steal personal data. Every organization which has customer-facing apps must have a mitigation plan in place for when secrets are stolen. One of the most effective approaches is to ensure that APIs can only be accessed by genuine apps running in safe environments. This kind of run-time shielding for mobile apps can easily be put in place to prevent this kind of

.....Read More

This is yet another example of how easy it is to steal API credentials and use them in modified apps or create scripts in order to steal personal data. Every organization which has customer-facing apps must have a mitigation plan in place for when secrets are stolen. One of the most effective approaches is to ensure that APIs can only be accessed by genuine apps running in safe environments. This kind of run-time shielding for mobile apps can easily be put in place to prevent this kind of breach and should be a priority for anyone deploying mobile apps.

  Read Less
March 18, 2022
Garret F. Grajek
CEO
YouAttest

APIs are everything in modern software. Processes talking to process is how most new software is constructed - and hackers know this. Many organizations have become better at watching their human accounts - but service accounts are still a problem for organizations. These must be reviewed and changed. Dynamic service accounts, the Zero Standing Privileges philosophy is also highly recommended for service account management.

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.