A latest report shows that over 3000 Android and iOS mobile apps leak private user data including sensitive user information as well as business data from over 23,000 unsecured firebase databases. According to the report, 27,227 Android apps and 1,275 iOS apps store app data in Firebase's database systems. 3,046 of these apps have data saved in unsecured databases that can be accessed by anyone. Of these, 2,446 are Android apps and 600 are iOS applications.
On further analysis, this leaked data included over 2.6 million usernames and passwords in plain text, over 25 million GPS locations, over 50,000 financial transaction records, and more than 4.5 million user tokens for popular social media platforms. Additionally, over 4.5 million Public Health Information records are also publicly accessible.
A total of more than 100 million individual records have been leaked.
Multiple Reports Show Mobile Apps Leak Private User Data
This is not the first report that has highlighted that mobile apps leak private user data. In fact, not just thousands, but hundreds of thousands of apps are vulnerable and leak millions of private data records on a daily basis. Earlier this year, millions of apps were found to leak personal information like name, age, income, location, phone numbers and email addresses. All of this thanks to third-party libraries.
Over the last four years at Appknox, we've analyzed close to 1.5 million apps and have found hundreds of thousands of apps affected because of third-party libraries. Over 70% of the apps we've analyzed have at least one high-level vulnerability caused by a third-party SDK or library. In fact, even top banking apps have security issues and also popular e-commerce apps leak financial information.
Researchers at Kaspersky Labs analyzed 4 million APKs and found that most of them exposed some sensitive data. While some of them did this because of poor coding practices by developers, a large portion of the mobile apps leaking private user data were those caused because of third-party SDKs.
Some Key Findings From the Report
A total of 2,705,987 apps were analyzed.
27,227 Android apps and 1,275 iOS apps were using a Firebase database.
1 in 11 Android apps (9%) and almost half of iOS apps (47%) that had a Firebase connection were vulnerable
More than 3,000 apps were leaking data from 2,300 unsecured servers.
1 in 10 Firebase databases (10.34%) are vulnerable
Vulnerable Android apps alone were downloaded over 620 million times
Over 100 million records (113 gigabytes) of data was exposed
Mobile Apps Leak Private User Data Causing Major Damage to Enterprises
One of the obvious damages of apps that leak private information is the direct impact on the privacy of individuals whose data is compromised. As millions of such data points add up, the impact soon starts multiplying and can affect enterprises as many of these individuals will also be working at enterprises that are increasingly adopting a BYOD (Bring Your Own Device) model.
When internal company data gets leaked, organizations lose not only intellectual property but also take a huge hit to their reputation, brand, and viability. Over 40% of the apps in the report are business apps thereby increasing this risk manifolds.
Bad publicity, increased threat of fraud, theft of intellectual property, and loss of corporate and personal data are all detrimental to any organization. Be careful of all the apps that are in your enterprise network and make sure the entire organization is aware and proactive.