This is the Shared Security Weekly Blaze for July 2nd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!
Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated!
Show Transcript
This is your Shared Security Weekly Blaze for July 9th 2018 with your host, Tom Eston. In this week’s episode: Mobile app data leaks, the California privacy act, and third-party Gmail access.
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Researchers from a mobile security company called Appthority have released concerning details about their research into Android and Apple iOS apps that use a cloud-based backend database called Firebase. Firebase was acquired by Google in 2014. Appthority reviewed more than 2.7 million mobile apps and discovered that around two-thousand of these apps had unsecured Firebase databases. These databases were found to be wide-open allowing anyone to view around 2.6 million user names and plain text passwords, 25 million GPS location records, 50 thousand financial transactions and approximately 4.5 million user tokens for social media sites. In addition, over 4 million PHI (Protected Health Information) records were found containing prescription and private chat records. To add more insult to injury, all that was needed to access these unsecured databases was to append a simple “/.json” to the end of a database host name. The good news is that Appthority reached out to Google to alert them of the issue and Google was able to contact app developers to fix the issue.
Ironically, in our last episode of the podcast, we discussed the Exactis data leak which exposed 340 million records due to developers not properly securing ElasticSearch databases. Data leaks due to developers not properly securing and configuring databases seems to have reached epidemic proportions. The unfortunate side effect of data leaks like these is that if your data happened to be exposed, you may never know about it. Of course, unless your data happens to show up on list of compromised databases like Troy Hunt’s “Have I been Pwnd” service, it’s very hard to know if criminals have accessed or used data from all these recent data leaks. Until developers and database software takes a “security by default” approach and companies are held more accountable for securing our private information, data leaks like these are going to continue well into the future.
The new California Privacy Act of 2018, recently passed by the California legislature, will apply to more than 500,000 US businesses according to the International Association of Privacy Professionals (IAPP). This new law is similar to GDPR privacy legislation that was recently enacted by the European Union. Beginning in January of 2020 all California residents will now have rights to transparency about data collected, the right to be forgotten, a right to data portability and a right to opt out of having their data sold. This law will apply to any business in California that collects personal information and businesses that sell or disclose personal information for a specific business purpose. Ironically, some of the largest companies that use and sell personal data such as Google and Facebook, are headquartered in California. These new rules will be enforced by the California attorney general and businesses could face fines up to $7,500 for each violation. This bill is currently the strongest privacy law in the United States so it will be interesting to see if other states follow suite or if legislators start discussing a federal privacy law in line with what currently exists with the European GDPR privacy legislation.
Google confirmed last week that emails, from Google’s free Gmail email service, can be read by some third-party app developers. Specifically, third-party apps can request access to users Gmail accounts if there is particular functionality that requires email access. For example, there are some apps need to send and receive emails or integrate into a mail account to pull out specific data. Most of the time it’s an automated program that will access someone’s email account. While many people may not be surprised by this, especially if you’re agreeing to allow an app this type of access, what’s not clear is how developers may leverage this access to manually read people’s email. In an article from the BBC about this issue, one company is noted that they will “review the emails of hundreds of users to build a new software feature”. All of this took place without asking for additional permission from the users of these email accounts or Google.
We’ve all heard the phrase “with great power, comes great responsibility” right? Well what we seem to have here is an abuse of power that a developer may use with great amounts of personal data. It’s no different than issues we see with Facebook app developers who are already given rights, through the terms of service we all agree to, to access this data with no oversight or restrictions. We also can’t always assume that an automated program is the only thing looking at our personal data, humans will too as it’s in our curious nature. The good news out of all this is that you can review the third-party apps that may have access to your Gmail account by visiting Google’s “Security Check-up” page. See our show notes for a link to this tool. Just a reminder that if you’re not comfortable with any of Google’s terms and conditions, regardless of third-party access, you may want to consider using a different email service that allows you more control of your privacy and is not focused on serving you ads like Google is. Keep in mind, most email services that are focused on your privacy are typically not free since with free services, we all know that you are the product.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.