Tag Archives: mobile

Bluescape releases newest version of its mobile app

Bluescape has launched its newest mobile app to enable users to access their content on the go.

The app, available in the Apple App Store and Google Play store, connects to Bluescape workspaces from mobile devices, such as cellphones or tablets. According to the vendor, it enables users to give presentations without a laptop by launching a Bluescape session from the app onto larger touchscreens.

Users can also access their content and workspace anytime and from anywhere and search and view content. According to Bluescape, the app provides a visual collaboration workspace that integrates day-to-day applications, content and tools.

The Bluescape platform is cloud-based software, with applications designed for collaboration in the workplace. Available applications include mobile and personal workstations, huddle rooms, innovation centers, collaboration suites, conference rooms, training rooms, executive briefing centers, command centers and control centers. Search, messaging and file sharing are also built into the platform.

Bluescape lists professionals in jobs such as architecture, consulting, designing, filmmaking, marketing and product development as ideal users for its product, as these are often groups of people working collaboratively and visually.

Bluescape is among the vendors offering visual collaboration software, which works hand in hand with digital collaborative whiteboards. Vendor Mural provides separate workspaces for teams and enables scaling for companywide processes, with frameworks for Agile, Lean and Design Thinking methods. Custom frameworks are also available.

Competitor Miro touts its product development, user experience research and design, and Lean and Agile capabilities, as well as its enterprise-grade security. Available applications include Google Drive, Box, Dropbox, Slack, OneDrive and Microsoft Teams.

Go to Original Article
Author:

End users will make or break an Office 365 migration

An Office 365 migration can improve an end user’s experience by making it easier to work in a mobile environment while also keeping Office 365 features up to date. But if the migration is done without the end users in mind, it can lead to headaches for IT admins.

At a Virtual Technology User Group (VTUG) event in Westbrook, Maine, about 30 attendees piled into a Westbrook Middle School classroom to hear tips on how to transition to Office 365 smoothly.

Office 365 is Microsoft’s subscription-based line of Office applications, such as Word, PowerPoint, Outlook, Teams and Excel. Rather than downloaded onto a PC, Office 365 apps are run in the cloud, enabling users to access their files wherever they are.

“As IT admins, we need to make the digital transformation technology seem easy,” said Jay Gilchrist, business development manager for Presidio Inc., a cloud, security and digital infrastructure vendor in New York and a managed service provider for Microsoft. Gilchrist and his Presidio colleague, enterprise software delivery architect Michael Cessna, led the session, outlining lessons they’ve learned from previous Office 365 migrations.

Importance of communication and training

Their first lessons included communicating with end users, keeping a tight migration schedule and the importance of training.

“You want to make it clear that you’re not just making a change for change’s sake,” Gilchrist said. “Communicate these changes as early as possible and identify users who may need a little more training.”

One practical tip he offered is to reserve the organization’s name in Office 365 early to ensure it’s available.

You want to make it clear that you’re not just making a change for change’s sake.
Jay GilchristBusiness development manager, Presidio

Conducting presentations, crafting targeted emails and working to keep the migration transparent can help IT admins keep end users up to date and enthused about the transition.

“End users are not information professionals,” Cessna said. “They don’t understand what we understand and these changes are a big deal to them.”

Cessna and Gilchrist said that if IT admins want end users to adopt apps in Office 365, they’ll need to provide the right level of training. IT admins can do that by providing internal training sessions, using external resources such as SharePoint Training Sites, as well as letting users work with the apps in a sandbox environment. Training will help end users get used to how the apps work and address questions end users may have in real time, thereby reducing helpdesk tickets once the Office 365 migration is completed. 

Governance and deployment

Before an Office 365 migration, IT admins need to have a governance of applications and deployment plan in place.

“Governance built within Microsoft isn’t really there,” Cessna said. “You can have 2,000 users and still have 4,500 Team sessions and now you have to manage all that data. It’s good to take care of governance at the beginning.”

Deployment of Office 365 is another aspect that IT admins need to tackle at the start of an Office 365 migration. They need to determine what versions are compatible with the organization’s OS and how the organization will use the product.

“It’s important to assess the digital environment, the OSes, what versions of Office are out there and ensure the right number of licenses,” Cessna said.

Securing and backing up enterprise data

One existing concern for organizations migrating from on-premises to an Office 365 cloud environment is security.

Microsoft provides tools that can help detect threats and secure an organization’s data. Microsoft offers Office 365 Advanced Threat Protection (ATP), a cloud-based email filtering service that helps protect against malware, Windows Defender ATP, an enterprise-grade tool to detect and respond to security threats, and Azure ATP, which accesses the on-premises Active Directory to identify threats.

Microsoft has also added emerging security capabilities such as passwordless log in, single-sign-on and multi-factor authentication to ensure data or files don’t get compromised or stolen during an Office 365 migration.

Regulated organizations such as financial institutions that need to retain data for up to seven years will need to back up Office 365 data, as Microsoft provides limited data storage capabilities, according to Cessna.

Microsoft backs up data within Office 365 for up to two years in some cases, and only for one month in other cases, leaving the majority of data backup to IT.

“[Microsoft] doesn’t give a damn about your data,” he said. “Microsoft takes care of the service, but you own the data.”

Picking the right license

Once the organization is ready for the migration, it’s important to choose the right Office 365 license, according to Gilchrist.

There are several ways for an organization to license an Office 365 subscription. Gilchrist said choosing the right one depends on the size of the organization and the sophistication of the organization’s IT department.

The subscription choices for Office 365.
When deciding on which Office 365 subscription to license, it’s important to examine the size and scope of your organization and decide which offering works best for you.

Smaller businesses can choose an option of licenses for 300 or less users, as well as options for add-ons like a desktop version of Office and advanced security features. The cost for enterprise licenses differs depending on the scope of the licenses and number of licenses needed, and educational and non-profit discounts on licenses are offered as well.

Other licensing options include Microsoft 365 bundles, which combine Office 365 with a Windows 10 deployment, or organizations could use Microsoft as a Cloud Solution Provider and have the company handle the heavy lifting of the Office 365 migration.

“There are different ways to do it. You just have to be aware of the best way to license for your business,” Gilchrist said.

Measuring success and adoption

Once completed, IT still has one more objective, and that’s to prove the worth of an Office 365 migration.

“This is critical and these migrations aren’t cheap,” Cessna said. “You want to show back to the business the ROI and what this new world looks like.”

To do that, IT admins will have to circle back to their end users. They can use tools such as Microsoft’s Standard Office 365 Usage Reports, Power BI Adoption reports or other application measurement software to pin down end user adoption and usage rates. They can provide additional training, if necessary.

“Projects fail because the end users aren’t happy,” Cessna said. “We don’t take them into account enough. Our end users are our customers and we need to make sure they’re happy.”

Go to Original Article
Author:

For Sale – EE 4g Osprey WiFi Dongle ‘Price Drop’

EE 4g mobile dongle.
Locked to EE but also works with my plusnet sim.
You can get an unlock code for 99p from an auction place.
No cables, just the box.
Tested this morning and in good order.
£33 to include postage.
Malcolm
IMG_6716.jpeg

IMG_6715.jpeg

Price and currency: £22
Delivery: Delivery cost is included within my country
Payment method: BT or PPG
Location: Llandrinio
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Last edited: Aug 31, 2018

For Sale – EE 4g Osprey WiFi Dongle ‘Price Drop’

EE 4g mobile dongle.
Locked to EE but also works with my plusnet sim.
You can get an unlock code for 99p from an auction place.
No cables, just the box.
Tested this morning and in good order.
£33 to include postage.
Malcolm
IMG_6716.jpeg

IMG_6715.jpeg

Price and currency: £22
Delivery: Delivery cost is included within my country
Payment method: BT or PPG
Location: Llandrinio
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Last edited: Aug 31, 2018

Another mSpy leak exposed millions of sensitive user records

Mobile spyware company mSpy has once again leaked millions of customer records to the public internet.

The company develops mobile spyware that customers use to monitor the mobile device activity of their children, partners and others. Security researcher Nitish Shah discovered the mSpy leak via a public-facing database and reached out to cybersecurity journalist Brian Krebs, who first reported the leak.

Krebs looked into the mSpy leak and said no authentication was required to access the database. The customer data included passwords, call logs, text messages, contacts, notes and location data — all of which was compiled by the mSpy spyware — and there were millions of records. Additionally, there were records containing the username, password and private encryption key of every mSpy customer who was active in the last six months. The database also included the Apple iCloud usernames and authentication tokens of the Apple devices running mSpy.

According to Krebs, anyone who accessed the database would be able to see WhatsApp and Facebook messages that were also compiled by mSpy.

Krebs also noted that the transaction details of all mSpy licenses purchased within the last six months were exposed, and that included customer names, email addresses and mailing addresses. Additionally, there was browser and internet address information from users visiting the mSpy website.

The exposed database was taken offline this week. But Shah told Krebs the company’s support people ignored him when he tried to alert them of the mSpy leak and asked to be directed to their head of technology or security. After Shah contacted Krebs, Krebs reached out to mSpy as well, with only slightly better results. The chief security officer of mSpy said the company was aware of the issue and was working on it.

In response to Krebs’ article, mSpy issued a statement in which it acknowledged there was an incident, but denied that millions of records had been exposed.

This isn’t the first mSpy leak in recent years. In 2015, Krebs also reported a data leak after mSpy was hacked and customer data was posted on the dark web. In that breach, the information of over 400,000 was estimated to be exposed, and mSpy “initially denied suffering a breach for more than week,” according to Krebs, despite customers confirming their data was part of the exposed cache.

In other news:

  • The FIDO Alliance has launched a certification program for biometrics. “Biometric user verification has become a popular way to replace passwords and PINs, but the lack of an industry-defined program to validate performance claims has led to concerns over variances in the accuracy and reliability of these solutions,” the FIDO Alliance said. The certification, called the Biometric Component Certification Program, is designed for both users and providers. For enterprises, FIDO said, “it provides a standardized way to trust that the biometric systems they are relying upon for fingerprint, iris, face and/or voice recognition can reliably identify users and detect presentation attacks.”
  • More than 7,500 MikroTik routers were infected with malware, according to researchers from Qihoo 360 Netlab. The malware logs and transmits network traffic information to servers under the hackers’ control. The researchers found the routers were infected by the malware through an exploit of a vulnerability disclosed in the Vault7 leaks of alleged CIA hacking tools. The vulnerability, tracked as CVE-2018-14847, was patched in April. The researchers noticed the malicious activity on their honeypot systems in July specifically aimed at MikroTik routers. The largest number of routers affected by CVE-2018-14847 exploits were in Russia, as well as Iran, Brazil, India and Ukraine.
  • Hackers have compromised the MEGA Chrome extension — which is used for secure cloud storage — to steal login credentials and cryptocurrency keys, according to researchers. First discovered by an anonymous researcher called SerHack, the malicious version of the browser extension monitors for usernames and passwords in login forms on Amazon, Microsoft, GitHub and Google, and then it sends the credentials to a host in Ukraine. It also scanned for URLs relating to cryptocurrency sites, and then it would try to steal that login data, as well. The malicious version of the MEGA Chrome extension was put in place at some point after Sept. 2, and Google has already taken it down. There’s no evidence the Firefox version of MEGA has been compromised. Chrome users of the MEGA extension should remove it immediately and change all account passwords.

5G services to headline Mobile World Congress Americas 2018

If it’s September, it’s time for Mobile World Congress Americas. And this year’s conference, scheduled for next week in Los Angeles, will be all about 5G services, wrote Kathryn Weldon, an analyst at GlobalData, based in London.

“Clearly we are closer to actual 5G rollouts, so all vendors and operators that participate in the 5G value chain will be touting their wares, anticipating and touting possible use cases, and amping up the excitement,” she wrote.

Weldon said she does not believe next week’s Mobile World Congress will yield any major product announcements. Instead, she categorized education as the show’s biggest benefit, especially around 5G services.

“Enterprises know little about 5G at this point because they can’t yet see it or buy it. [The conference] should help them envision the kinds of things these new technologies can do for their businesses.”

Among those new capabilities will be enhanced video broadcasting, advanced interactive gaming systems and anything that can benefit from low latency, Weldon said.

5G services won’t be the only technology discussed at Mobile World Congress Americas. The event will also showcase other wireless trends, including low-power WANs, internet of things and, of course, business transformation. What’s a show without some mention of transformation, after all?

Find out what else — beyond 5G services — Weldon said attendees should look for at next week’s Mobile World Congress Americas.

VMware loves the cloud — now

VMware wasn’t always a fan of the cloud, but it sure is now, said Drew Conry-Murray, in a Packet Pushers post.

The vendor pitched its virtual cloud network architecture at last month’s VMworld, with executives telling attendees to make VMware software the foundation for all of their enterprises’ multi-cloud operational requirements — from security to management.

The reason why? The vendor does not want to be cast aside as more applications rely on a public cloud infrastructure that does not require VMware, Conry-Murray said.

VMware’s approach could work, but it won’t be inexpensive. Or easy, Conry-Murray said.

Read Conry-Murray’s other observations about VMware’s embrace of multi-cloud.

Platform wars: The next phase of enterprise security?

Jon Oltsik, an analyst at Enterprise Strategy Group in Milford, Mass., said CISOs are increasingly looking for a single vendor to provide the tools they need to secure their networks.

That may be an efficient way to go, but most enterprises have a dizzying list of security needs they must meet, and finding a security platform capable of supporting all those requirements is not easy.

But that’s where Oltsik and his colleague, Doug Cahill, come in.

The two developed a list of eight attributes they said every cybersecurity platform must offer. Then they interviewed more than 200 cybersecurity professionals to identify the three attributes they consider most important.

Among the attributes cited: ease of management and coverage that includes major threat vectors such as email and web security. Almost 40% of those surveyed said email and web security is a must, while 33% said they needed a platform that offered central management across all products and services.

Find out what else survey respondents had to say about cybersecurity platforms.

Two seconds to take a bite out of mobile bank fraud with Artificial Intelligence

The future of mobile banking is clear. People love their mobile devices and banks are making big investments to enhance their apps with digital features and capabilities. As mobile banking grows, so does the one aspect about it that can be wrenching for customers and banks, mobile device fraud. 

image

Problem: To implement near real-time fraud detection

Most mobile fraud occurs through a compromise called a SIM swap attack in which a mobile number is hacked. The phone number is cloned and the criminal receives all the text messages and calls sent to the victim’s mobile device. Then login credentials are obtained through social engineering, phishing, vishing, or an infected downloaded app. With this information, the criminal can impersonate a bank customer, register for mobile access, and immediately start to request fund transfers and withdrawals.

Artificial Intelligence (AI) models have the potential to dramatically improve fraud detection rates and detection times. One approach is described in the Mobile bank fraud solution guide.  It’s a behavioral-based AI approach and can be much more responsive to changing fraud patterns than rules-based or other approaches.

The solution: A pipeline that detects fraud in less than two seconds

Latency and response times are critical in a fraud detection solution. The time it takes a bank to react to a fraudulent transaction translates directly to how much financial loss can be prevented. The sooner the detection takes place, the less the financial loss.

To be effective, detection needs to occur in less than two seconds. This means less than two seconds to process an incoming mobile activity, build a behavioral profile, evaluate the transaction for fraud, and determine if an action needs to be taken. The approach described in this solution is based on:

  • Feature engineering to create customer and account profiles.
  • Azure Machine Learning to create a fraud classification model.
  • Azure PaaS services for real-time event processing and end-to-end workflow.

The architecture: Azure Functions, Azure SQL, and Azure Machine Learning

Most steps in the event processing pipeline start with a call to Azure Functions because functions are serverless, easily scaled out, and can be scheduled.

The power of data in this solution comes from mobile messages that are standardized, joined, and aggregated with historical data to create behavior profiles. This is done using the in-memory technologies in Azure SQL.  

Training of a fraud classifier is done with Azure Machine Learning Studio (AML Studio) and custom R code to create account level metrics.

Recommended next steps

Read the Mobile bank fraud solution guide to learn details on the architecture of the solution. The guide explains the logic and concepts and gets you to the next stage in implementing a mobile bank fraud detection solution. We hope you find this helpful and we welcome your feedback.

Developers favor JVM languages for mobile, enterprise

Languages that run on the Java Virtual Machine have lined up well with mobile app developers, alongside the usual code suspects.

JavaScript, Java, Python, PHP and C# top RedMonk’s latest list of programming languages, ranked by code usage (GitHub pull requests) and discussions (Stack Overflow Q&As). C++, CSS, Ruby, C and Objective-C round out the top 10. But a host of JVM languages rank in the middle of the pack and are on the move up the list.

The JVM supports a host of programming languages, such as Kotlin, Groovy, Scala and Clojure, along with JRuby and Jython, as well as more obscure languages such as BeanShell, Pizza, Pnuts and Xtend. Scala (ranked 12th), Clojure and Groovy (tied at 21st) advanced in the RedMonk rankings, while Kotlin — one of the hottest languages around — fell back one spot to 28th.

Bright future for Kotlin, Swift for mobile OS development

Kotlin is especially popular with mobile app developers as a preferred language for Android application development due to its clean, modern design, wrote Stephen O’Grady, analyst at RedMonk, based in Portland, Maine, in a blog post.

Scala had dropped for three consecutive quarters prior to this latest ranking, although the drops were rather small. The causative factors behind Scala’s past declines are unclear, but likely involve competition not only from Java but from other JVM languages such as Clojure, Groovy and even Kotlin.

“Scala had its day in the sun, but it seems to be suffering from growing pains and unable to move under the resistance of its own considerable weight,” said Cameron Purdy, CEO of Xqiz.it, a Lexington, Mass., software startup in stealth mode, and formerly senior vice president of development at Oracle.

Swift, a newer language to build iOS applications, also slid one slot out of a tie with Objective-C, but still enjoys increased attention from developers. IBM and others have pushed Swift as a server-side language.

Like Kotlin, Swift appeals to developers as a language that hides the ugliness of a legacy platform, although it drags a ton of luggage from various legacy Apple technologies that feel less clean, Purdy said.

“If I were a developer starting out today, I’d prioritize Kotlin and Swift for Android and iOS development, with JavaScript or TypeScript for the browser,” he said. “Kotlin should also suffice for the back end.”

Reading the tea leaves

Other industry experts suggest the ebbs and flows of such language popularity rankings are nothing more than periodic changes in the schemes of software development.

As programmers change development projects, they’ll shift from “vanilla Java” to Kotlin if they’re doing Android development, or to Groovy for development with Grails, or to Clojure or Scala for various functional programming work, said Ted Neward, director of developer relations at Smartsheet, Bellevue, Wash.

The more Java improves, the less these other ‘Java++’ languages have compelling enough differences to justify the overhead of using something other than Java.
Charles Nuttersenior principal software engineer, Red Hat

“This is much like trying to read the tides by marking the waves on the side of the pier over a five-minute period,” he said. JVM languages in general have carved out a niche within the broader Java world, which is viable because that world is so large. “If anything, it signals that these languages are reaching a level of maturity and acceptance within the ecosystem,” he said.

Meanwhile, recent improvements in the Java language, such as lambdas in Java 8 and local variable type inference in Java 11, take some steam away from JVM alternatives, said Charles Nutter, co-lead of the JRuby open source project and a senior principal software engineer at Red Hat.

“The more Java improves, the less these other ‘Java++’ languages have compelling enough differences to justify the overhead of using something other than Java,” Nutter said.

Algolia partners with integrators, digital agencies

Algolia, which offers search technology for websites and mobile apps, has launched a partner program targeting systems integrators, consultants, digital agencies and e-commerce platforms. Algolia partners include Accenture Interactive’s Altima business unit, digital agency Wunderman and e-commerce platforms Magento and Shopify.

At launch, the Algolia Partner Program has 20 certified partners. The program aims to create an ecosystem of Algolia partners that can help enterprises customize Algolia search technology, according to the company.

The program’s launch follows rising interest among customers in working with partners, said Alexandre Popp, director of channels and alliances at Algolia.

“Over the past year, we saw increasing demand from enterprises to leverage the support of partners like systems integrators, consultants and agencies,” Popp said. “So we made the decision to dedicate resources to building out partner engineering, account management, and marketing teams to support our partners in the field and meet customer demand.”

The partner program is part of the company’s enterprise customer initiative.

Alexandre Popp, director of channels and alliances at AlgoliaAlexandre Popp

“Our motion to move upmarket comes with partners and multinational brands purchasing our product in tandem with partner solutions, and deployed with consulting firms’ team[s],” Popp said. He noted the program’s objective is to support partners as they “build or sell digital products” that embed Algolia.

Algolia’s partner program offers technical enablement and certification; go-to-market and sales enablement; and marketing support, including co-marketing events, webinars and campaigns. The company, founded in 2012, said it has more than 5,700 customers.

Cloud service providers launch offerings

Cloud service providers Faction and 2nd Watch rolled out new services this week.

Over the past year, we saw increasing demand from enterprises to leverage the support of partners like systems integrators, consultants and agencies.
Alexandre Poppdirector of channels and alliances, Algolia

Faction, a Denver company that focuses on multi-cloud services, said it is working with VMware to provide cloud-attached storage for VMware Cloud on AWS deployments. Faction said its Cloud Control Volumes offering provides a scalable storage platform for VMware Cloud on AWS customers who need more storage capacity.

Meanwhile, 2nd Watch, a managed service provider based in Seattle, said its Cloud Migration Cost Assessment service aims to help large and midmarket firms get a handle on the cost benefits of moving on-premises IT infrastructure to the cloud. The cloud migration assessment involves a six-week engagement in which 2nd Watch cloud personnel evaluate a customer’s IT estate and “map current resources to the most cost-effective cloud solution,” according to the company.

Other news

  • Silver Peak launched its Authorized Deployment Partner (ADP) Program, which will train, certify and authorize a group of services partners. Partners receiving authorization are deemed capable of managing the design, deployment and management of the Silver Peak Unity EdgeConnect SD-WAN offering. Program participants include Cavell Group, FireOwls Corp., Geode Networks, Traversa Solutions and Velociti.
  • Arcserve, a data backup and availability vendor based in Minneapolis, unveiled a new channel program dubbed Arcserve Accelerate. The program targets North American MSPs, value-added resellers, large-account resellers and original equipment manufacturers. Program features include re-developed e-learning courses, partner certification, individual and corporate SPIFs, marketing development funds and access to cloud-native products with support for private and public clouds such as AWS and Microsoft Azure, according to Arcserve.
  • Matrix Integration, an IT infrastructure company in Kentucky and Indiana, has opened its new Louisville regional office. The company said the expansion provides a hub for modernizing the IT infrastructure of public and private sector entities in the Louisville area.

Market Share is a news roundup published every Friday.

Unprotected Firebase databases leaked over 100 million records

Thousands of mobile applications are leaking personally identifiable information from unprotected Firebase databases.

According to research from application security company Appthority, 3,000 mobile iOS and Android apps are leaking 100 million exposed records of user data. The records include 2.6 million

plain text
passwords and user IDs, at least 4 million records with protected

health  information
(PHI), 25 million GPS location records, 50 thousand financial records, and at least 4.5 million Facebook, LinkedIn, Firebase and corporate datastore user tokens.

These exposures happen “when app developers fail to require authentication to a Google Firebase cloud database,” according to the report from Appthority, which also notes that Firebase is one of the 10 most popular datastores for mobile apps with over 53,000 apps using it in 2017.

“The challenge for app developers is that Firebase does not provide adequate security capabilities out of the box. The only security feature available to developers is authentication and

rule-based
authorization,” Appthority explained in its report. “However, Firebase does not secure user data by default nor are third-party tools available to provide encryption for it.”

The report also noted that it would be easy for hackers to find unprotected Firebase databases and gain access to private data records.

“The result is a trove of data that is open to the public internet unless the developer explicitly imposes user authentication on each individual table or directory,” Appthority explained in the report. “Even when developers do implement authentication, they may not secure every database table.”

As a result, the Appthority researchers found that over 113 GB of data has been exposed through the 3,000 apps. They also found that 62% of enterprises are using at least one vulnerable app, spanning a variety of industries across the globe including banking, telecoms, postal services,

ride sharing
companies, hospitality

and
education. The apps that leaked the most data were health and fitness apps.

“Medical information can be worth ten times more than credit card numbers on the deep web,” the report said. “Fraudsters can use this data to create fake IDs to buy medical equipment or drugs, or combine a patient number with a false provider number and file fictional claims with insurers.”

It’s misconfiguration and mismanagement of the backend infrastructure opening up these vulnerabilities.
Seth HardyDirector of Security Research, Appthority

Appthority said it notified Google of this issue with apps hosted on unprotected Firebase databases, but Seth Hardy, Appthority’s director of security research, doesn’t think the blame falls entirely to Google — despite Google not making the security features that would prevent these leaks set to default.

“They’re not directly responsible,” he told SearchSecurity. “When you make a tool and try to make it easy to use, then you’re probably not going to want to add that setting by default.”

Hardy noted that it’s also not the responsibility of the user to make sure the apps are secure.

“It’s definitely a developer issue,” he said. “It’s misconfiguration and mismanagement of the backend infrastructure opening up these vulnerabilities.”

The solution, according to Hardy, lies with the developers.

“It’s really just a matter of trying to educate developers in general about secure coding practices, making sure that they’re implemented in all parts of the software development lifecycle and giving users and enterprises the tools to verify whether these apps are implementing proper security controls on their data.”