“Leaky Apps” Are Draining Your Data — Here’s How You Plug the Hole

Categories
Dotfuscator CE

Published on July 18, 2018 by Gabriel Torok

Reading Time: 4 minutes

All apps are vulnerable. That’s the takeaway from a recent Trustwave report, which found that 100 percent of web applications could be compromised in a cyberattack. Combined with the uptick in mobile malware, account takeover fraud and blockchain-based attacks, companies spend most of their time fending off new attacks while trying to keep current apps up and running.

The result? It’s easy to assume that when applications aren’t directly under attack, they’re effectively safe. The truth? More code handling more data increases the risk of “leaky apps” — applications which unwittingly expose sensitive data to prying eyes. 

Here’s how you plug the holes.

Data Drips

Leaky apps are nothing new. Developers may forget to secure back-end data or hackers could gain access to information through unknown bugs or vulnerabilities. Given the time and effort invested by companies into securing apps and services, however, it’s tempting to see this problem as limited in scope and severity — after all, IT teams have enough on their plate managing active attacks to worry about potentially dripping data, right?

Consider the current landscape: As noted by Help Net Security, more than 3000 mobile apps across both iOS and Android are now leaking data from 2300 Firebase databases. The affected apps range from productivity tools, health and fitness monitors, cryptocurrency and business applications; 62 percent of enterprises are using at least one of these leaky apps. According to Bleeping Computer, these data drips now add up to a database delta of more than 110 GBs that includes everything from passwords and user IDs to protected health information, GPS locations and financial records. The biggest takeaway here? Some of these apps are using well-secured code designed to mitigate potential attacks but without secure connections to databases that demand authentication, data isn’t properly defended.

Third-party apps — such as ad platforms — are also at risk. As noted by Phys.org, a bug in Facebook’s advertising platform made it possible to discover personal information users chose to keep private by uploading multiple customer databases and then cross-referencing the data. Given the billions of users subscribed to the social media service, this represents massive risk.

The Risk of Leaky Pipes

As noted by Threat Post, the scope of leaky apps has shifted from one-off design flaws to “overwhelming”. The result? At least one of the apps your company built or bought is leaking secure data. What’s the potential damage?

  • Lack of Awareness — What you don’t know can hurt you. While typical attacks on applications or services should alert detection and intrusion tools, information accessed legitimately because database permissions aren’t properly managed won’t trip defense systems, leaving companies in the dark. 

    As noted by Infosecurity Magazine, for example, the conference app used by RSA their recent security event was leaky, allowing hackers to access attendee information thanks to an insecure API. While the app was quickly fixed, the lack of awareness — at a security conference, no less — underscores the need to address leaky apps ASAP.
  • Scaling Up — What start as small leaks may worsen over time. In the same way tree roots can push into water pipes and cause serious damage, hackers with access to limited database information may be able to leverage their findings and compromise IoT devices, database controllers and other network essentials to breach IT security.
  • Legal Consequences — Companies are responsible for the data they collect and handle, regardless of which apps they use. Legislation such as HIPAA and now GDPR make it clear that enterprises entrusted with personal data must safeguard it from the moment of collection to destruction — and be able to audit this journey on demand. 

    As noted by the Threat Post piece, this is problematic for organizations because “millions of applications include third party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices.” The result? No matter the source of the leak — in-house or outside — companies are held responsible.

Common Plumbing Problems (And Solutions!)

Want to plug your leaky apps? Here are some of the most common plumbing problems:

  1. Insecure database access. 
    Databases are presents accidental exposure risk. The solution? Always apply the principle of least privilege and follow data to the logical end of your application. In practice this means inputting test data, discovering how it’s handled and then imposing authentication as required to limit access.
  2. Third-party issues. 
    As noted by the Phys.org piece, research from Northeastern University found that “dozens of popular browser extensions were leaking users’ web history”. For companies looking to secure leaky apps this means regularly evaluating third-party services — good practice for app security in general — and eliminating insecure app connections as needed.
  3. Code concerns. 
    Not all code is perfect. If you’re creating code in-house it may have flaws that didn’t appear in testing, while popular open-source code may include undiscovered vulnerabilities. The solution? Security by design. Test, test and test some more — as creatively as possible — to uncover potential problems. Then, layer on app defense tools such as app hardening and obfuscation. Why? Because code is always a work in progress; app hardening tools make it harder for hackers to discover vulnerabilities in your code, run them in untrusted environments, or create modifications.

Bottom line? Leaky apps aren’t high-profile like ransomware or overwhelming like organized DDoS attacks but they represent real risk to personal information — risk that often goes unnoticed.

Plug the problem with better database control, increased oversight of third-party tools and enhanced defense of existing code.