Mobile App Data Found Exposing API’s & Data In 1,000’s Of Cloud Databases

Check Point Research found thousands of Firebase cloud databases that exposed chat messages in gaming apps, personal photos, token IDs in healthcare apps and data from cryptocurrency platforms.

One app discovered was from a large Dept Store in South America application (10+ Million Downloads) that had mistakenly exposed its API gateway credentials and API keys. CPR was able to access this data without facing any kind of protective mechanism.  Other similar apps had their data exposed for all to see:

  • Bookkeeping Application (1+ Million Downloads)
  • Dating Application (10,000+ Downloads)
  • Social Audio platform application (5+ Million Downloads)
  • Running Tracker Application (100,000+ Downloads)
  • Logo Design Application (10+ Million Downloads)
  • PDF reader Application (500,000+ Downloads)
Subscribe
Notify of
guest
2 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Garret F. Grajek
InfoSec Expert
March 18, 2022 5:12 pm

APIs are everything in modern software. Processes talking to process is how most new software is constructed – and hackers know this. Many organizations have become better at watching their human accounts – but service accounts are still a problem for organizations. These must be reviewed and changed. Dynamic service accounts, the Zero Standing Privileges philosophy is also highly recommended for service account management.

Last edited 3 months ago by Garret F. Grajek
George McGregor
George McGregor , VP of Marketing
InfoSec Expert
March 18, 2022 5:13 pm

This is yet another example of how easy it is to steal API credentials and use them in modified apps or create scripts in order to steal personal data. Every organization which has customer-facing apps must have a mitigation plan in place for when secrets are stolen. One of the most effective approaches is to ensure that APIs can only be accessed by genuine apps running in safe environments. This kind of run-time shielding for mobile apps can easily be put in place to prevent this kind of breach and should be a priority for anyone deploying mobile apps.

Last edited 3 months ago by George McGregor
Information Security Buzz
2
0
Would love your thoughts, please comment.x
()
x