It looks like unsecured AWS databases have always been present in the news when it comes to mobile application’s security breaches. However, Google Firebase-based apps have been greatly exposed as well, possibly more than its AWS-based counterparts.
Appthority, a mobile application security organization, carried out a research where its team found 2,300 unsecured Firebase databases. As a direct result of this neglect on cybersecurity, the sensitive data of over 100 million users was exposed wide open, including passwords stored in plain text.
But what’s the difference between Google Firebase and AWS when it comes to cybersecurity? Why developers and security managers aren’t acting properly when it comes to securing Firebase instances?
Firebase and AWS in Security
Here’s a surprising fact: Firebase is an unsecured database by default, meaning that developers must go hands on the cybersecurity aspect first thing when they decide to implement these Google-based instances.
On the other hand, AWS comes secured by default. So, this means that those data breaches that have occurred with AWS-based instances were caused by accidents and incorrect configurations. Indeed, by default AWS is more secure than Google Firebase.
The security weaknesses in Firebase aren’t related to complex features nor difficult implementation but to the simplest facts. While Firebase instances are unsecured by default, Google provides all the documentation and tools needed in order to make it secure and efficient.
Securing a Firebase database isn’t hard nor time-consuming, not more than any other similar scenario. However, the existence of these situations where the sensitive data of millions of users get exposed only reflects how developers are failing to meet the current standards in cybersecurity.
While it’s easy to secure a Firebase instance (basically by using the documentation provided by Google and investing some time on the task), it’s also easy for malicious third parties to make the most of these security flaws and access to user data.
The development lifecycle must comprehend enough time for developers to take care of security matters. It’s irresponsible and inconvenient to avoid investing the time to implement the proper mechanisms to secure databases and the data contained in them.
If the development team is lacking the expertise to properly implement such security mechanisms, the priority should be to hire an IT security expert. These vulnerabilities don’t only open the door for serious data breaches but also expose the organization to serious legal problems.