Careless App Developers Leave Millions of Sensitive Medical and Financial Records Exposed

Illustration for article titled Careless App Developers Leave Millions of Sensitive Medical and Financial Records Exposed
Photo: Getty

Thanks to poorly secured backend databases, a few thousand mobile apps are leaking an abundance of sensitive data, including personal health information, plaintext passwords, and financial transactions, according to researchers. 


Mobile security firm Appthority disclosed the leaks this week, pinning the blame on app developers who have failed to properly authenticate to the Google Firebase cloud database. Firebase is a mobile and web application platform acquired by Google in 2014. The platform is intended to make app development easier by doing much of the “heavy lifting” for coders.

More than 3,000 apps—most on Android, but at least 600 on iOS—are saving data to misconfigured Firebase databases exposed online, the researchers said.

Examples of exposed data provided by Appthority include substantially sensitive information, such as financial data, employee medical records, “plaintext passwords from over 150 corporate domains,” infrastructure cloud credentials, secret access keys to Amazon cloud servers, and “more than 40 server addresses with root plaintext passwords.”

Per Appthority, a staggering amount of data is exposed: roughly four million health-related records, including prescription details; 25 million GPS location records; 50 thousand financial records, including banking, payment and Bitcoin transactions; and 4.5 million Facebook, LinkedIn, Firebase, and corporate data store user tokens.

Needless to say, in the wrong hands, this wealth of confidential data poses a serious threat to companies and consumers alike, be it via network infiltration or the theft of personal identity or proprietary corporate information.

“This failure by developers to properly secure their Google Firebase databases is a significant and critical mobile vulnerability exposing vast amounts of sensitive data,” said Seth Hardy, Appthority director of security research. “The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security.”


Google provides detailed documentation on real-time use of Firebase and security rules for cloud storage, as well as security rules for Firestore, the document database for mobile developers who use Google’s cloud platform.

App developers, you should probably read them.

Got a tip? Email the reporter:


Senior Reporter, Privacy & Security


So, is there any way for an app user to tell if the app is safe? And, are we talking about nationwide bank apps, large medical center apps or such? Or smaller corporate apps for employees?