Contact Us Blog Register Login
PreEmptive -
  • Home
  • Products
    • Application Protection
      • Dotfuscator for .NET
        • Overview
        • Features
        • Compare Editions
        • Xamarin Protection
        • Videos & Resources
        • Pricing
        • Downloads
      • DashO for Android & Java
        • Overview
        • Features
        • Videos & Resources
        • Pricing
        • Downloads
      • JSDefender for JavaScript
        • Overview
        • Features
        • Online Demo
        • Pricing
        • Downloads
      • PreEmptive Protection for iOS
        • Overview
  • Support
    • Product Support
      • Dotfuscator for .NET
      • DashO for Android & Java
      • JSDefender for JavaScript
      • PreEmptive Protection for iOS
    • Resources
      • White Papers
      • Glossary
      • Videos
  • Solutions
    • App Protection Solutions
      • Mobile App Protection
      • Desktop & Server App Protection
      • General Data Protection Regulation (GDPR)
      • Security Development Lifecycle
      • Application Integrity Protection
      • Mobile RASP
      • PCI Mobile Payment Acceptance Security
  • Company
    • About
      • Why PreEmptive?
      • About Us
      • Careers
      • Blog
    • Contact
    • Legal

"Leaky Apps” Are Draining Your Data — Here’s How You Plug the Hole

July 18, 2018 5134 Views Gabriel Torok
leaky hose

All apps are vulnerable. That’s the takeaway from a recent Trustwave report, which found that 100 percent of web applications could be compromised in a cyberattack. Combined with the uptick in mobile malware, account takeover fraud and blockchain-based attacks, companies spend most of their time fending off new attacks while trying to keep current apps up and running.

The result? It’s easy to assume that when applications aren’t directly under attack, they’re effectively safe. The truth? More code handling more data increases the risk of “leaky apps” — applications which unwittingly expose sensitive data to prying eyes.

Here’s how you plug the holes.

Data Drips

Leaky apps are nothing new. Developers may forget to secure back-end data or hackers could gain access to information through unknown bugs or vulnerabilities. Given the time and effort invested by companies into securing apps and services, however, it’s tempting to see this problem as limited in scope and severity — after all, IT teams have enough on their plate managing active attacks to worry about potentially dripping data, right?

Consider the current landscape: As noted by Help Net Security, more than 3000 mobile apps across both iOS and Android are now leaking data from 2300 Firebase databases. The affected apps range from productivity tools, health and fitness monitors, cryptocurrency and business applications; 62 percent of enterprises are using at least one of these leaky apps. According to Bleeping Computer, these data drips now add up to a database delta of more than 110 GBs that includes everything from passwords and user IDs to protected health information, GPS locations and financial records. The biggest takeaway here? Some of these apps are using well-secured code designed to mitigate potential attacks but without secure connections to databases that demand authentication, data isn’t properly defended.

Third-party apps — such as ad platforms — are also at risk. As noted by Phys.org, a bug in Facebook’s advertising platform made it possible to discover personal information users chose to keep private by uploading multiple customer databases and then cross-referencing the data. Given the billions of users subscribed to the social media service, this represents massive risk.

The Risk of Leaky Pipes

As noted by Threat Post, the scope of leaky apps has shifted from one-off design flaws to “overwhelming”. The result? At least one of the apps your company built or bought is leaking secure data. What’s the potential damage?

  • Lack of Awareness — What you don’t know can hurt you. While typical attacks on applications or services should alert detection and intrusion tools, information accessed legitimately because database permissions aren’t properly managed won’t trip defense systems, leaving companies in the dark.

    As noted by Infosecurity Magazine, for example, the conference app used by RSA their recent security event was leaky, allowing hackers to access attendee information thanks to an insecure API. While the app was quickly fixed, the lack of awareness — at a security conference, no less — underscores the need to address leaky apps ASAP.

  • Scaling Up — What start as small leaks may worsen over time. In the same way tree roots can push into water pipes and cause serious damage, hackers with access to limited database information may be able to leverage their findings and compromise IoT devices, database controllers and other network essentials to breach IT security.

  • Legal Consequences — Companies are responsible for the data they collect and handle, regardless of which apps they use. Legislation such as HIPAA and now GDPR make it clear that enterprises entrusted with personal data must safeguard it from the moment of collection to destruction — and be able to audit this journey on demand.

    As noted by the Threat Post piece, this is problematic for organizations because “millions of applications include third party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices.” The result? No matter the source of the leak — in-house or outside — companies are held responsible.

Common Plumbing Problems (And Solutions!)

Want to plug your leaky apps? Here are some of the most common plumbing problems:

  1. Insecure database access.
    Databases are presents accidental exposure risk. The solution? Always apply the principle of least privilege and follow data to the logical end of your application. In practice this means inputting test data, discovering how it’s handled and then imposing authentication as required to limit access.

  2. Third-party issues.
    As noted by the Phys.org piece, research from Northeastern University found that “dozens of popular browser extensions were leaking users’ web history”. For companies looking to secure leaky apps this means regularly evaluating third-party services — good practice for app security in general — and eliminating insecure app connections as needed.

  3. Code concerns.
    Not all code is perfect. If you’re creating code in-house it may have flaws that didn’t appear in testing, while popular open-source code may include undiscovered vulnerabilities. The solution? Security by design. Test, test and test some more — as creatively as possible — to uncover potential problems. Then, layer on app defense tools such as app hardening and obfuscation. Why? Because code is always a work in progress; app hardening tools make it harder for hackers to discover vulnerabilities in your code, run them in untrusted environments, or create modifications.

Bottom line? Leaky apps aren’t high-profile like ransomware or overwhelming like organized DDoS attacks but they represent real risk to personal information — risk that often goes unnoticed.

Plug the problem with better database control, increased oversight of third-party tools and enhanced defense of existing code.


Get a Free Trial
Tweet
Share

Categories

  • Dotfuscator

  • Dotfuscator CE

  • DashO

  • JSDefender

  • Press Releases

  • Mobile Protection

  • Risk Management

  • Support Corner

Latest Blog Posts

Protecting Java applications that use Jackson for JSON



JSON is a standard format for sharing objects and data within an application. When working in Java, there is no built-in support for JSON processing. There are, however, several widely-used libraries and options to choose from. In this article, we will focus on Jackson, which is one of the most popular.

Read more

Protecting C# applications that use AutoMapper



AutoMapper is an object-to-object mapping system used by many of our customers. It aims to simplify and organize code responsible for sharing instance values from an object of one type to an object of a different type.

Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO



Inventa, a Wireless Technology Company, Protects their Android Application with DashO

The Beginnings of Inventa

Having worked in the wireless mobile technology domain in the US, Anand Virani, became intrigued by the growing tech and wireless trends and wanted to explore the field more for himself. He noticed a boom in the Internet of Things (IoT) and that smartphones were becoming more central to how people interacted with each other at home, in the office, and in public places. What if there was a way phones could connect with each other without the need for Internet or cloud access? Smartphones were the future and Virani was determined to make a profitable business model based on this new trend.

Read more

Surgical Theater Protects their Medical Applications with Dotfuscator



Surgical Theater Protects their Medical Applications with Dotfuscator

How It All Started

How is flying a fighter plane similar to performing neurosurgery? They have more in common than you’d think. In 2005, Monty Avisar and Alon Geri, two Israeli fighter pilots were assigned to work with Lockheed Martin to build a $50 million F-16 Flight Simulator program for the Israeli Air Force to improve hand-eye coordination skills for their pilots during combat. Avisar took on the role of project manager and Geri served as senior engineer; the project was a success.

Four years later in 2009, the two finished their military service in Israel and moved to Cleveland, Ohio. Their experience working in virtual reality applications inspired them to wonder where this technology could also be applied. With several connections to surgeons, the two came to understand the ins and outs of operation procedures; in a similar way, surgeons were also working on a battlefield. What if surgeons could also train like fighter pilots and preview their surgical procedure, much like a fighter pilot could pre-fly their mission? The surgeons could pre-plan the operation from every angle and every approach to increase their situational awareness. And a year later, Surgical Theater was born.

Read more

Integrating DashO into a Maven Build



Maven is perhaps the most widely-used project management tool for Java. Based on the Project Object Model (POM), it is used not only for compilation of source code, but also dependency management, documentation, running tests, packaging, deployment, and more. We are frequently asked if we have a Maven plugin for running DashO. Though we do not offer a specific Maven plugin, adding DashO to your Maven-based project is surprisingly easy by leveraging Ant.

Read more

preemptive logo

767 Beta Dr. Suite A
Mayfield Village, OH 44143

Tel: +1 440.443.7200

solutions@preemptive.com

Latest Blog Posts

Protecting Java applications that use Jackson for JSON

December 30, 2020
Read more

Protecting C# applications that use AutoMapper

November 18, 2020
Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO

November 10, 2020
Read more

Surgical Theater Protects their Medical Applications with Dotfuscator

October 30, 2020
Read more

GlobalMed Finds Success by Switching to JSDefender

October 21, 2020
Read more

Twitter

@baldbeardbuild @GirlsWhoCode @baldbeardbuild thanks so much for inspiring us to be BUILDERS in our own community!… https://t.co/U6AyqPDhsa Jan 14 • reply • retweet • favorite

Copyright © 2020 PreEmptive

  • Home
  • Contact Support
  • Blog
  • Contact
Scroll to Top

PreEmptive uses cookies to improve the functionality of our website. By using this site, you agree to the use of cookies.