A security vulnerability affecting more than 3,000 mobile apps is exposing more than 4 million protected health records that include prescription details and sensitive chat messages, according to a report from mobile app security firm Appthority.
The opening — which also includes 2.6 million plaintext passwords and user IDs, 25 million GPS location records, and 50,000 financial records — is a result of app developers neglecting to secure their back-end servers, in this case a Google Firebase cloud database.
“Firebase is one of the most popular backend database technologies for mobile apps but does not secure user data by default, provide third-party encryption tools, or alert developers to insecure data and potential vulnerabilities,” the authors of the report wrote. “To secure data properly, developers need to specifically implement user authentication on all database tables and rows, which rarely happens in practice. Moreover, it takes little effort for attackers to find open Firebase app databases and gain access to millions of private mobile data app records.”
Appthority noted in the report that this vulnerability affects organizations across a number of countries and industries, and that the popularity of Google Firebase among app developers means that the issue is likely to increase in scope. Of note, the report specified that health and fitness apps were the biggest leakers.
“This is of particular concern because healthcare data is far more valuable to hackers than other types of data,” the company wrote. “Medical information can be worth ten times more than credit card numbers on the deep web. Fraudsters can use this data to create fake IDs to buy medical equipment or drugs, or combine a patient number with a false provider number and file fictional claims with insurers.”
The security company wrote in the report that it has notified Google about the vulnerability and provided the company with a list of the affected apps and database serves. In the meantime, Appthority recommends enterprises take steps to ensure that branded apps developed in-house or by a third party recognize the vulnerability, and to be aware of exposure resulting from other public apps downloaded by employees to company-owned or bring-your-own devices.