Another week, another major app data security mishap. This time 38 million sensitive records have been exposed by forty-seven different companies and government entities, on the Microsoft Power Apps platform.
In our collective imagination, data breaches are caused by intrepid, lone hackers, against whom there can be no defence. Sometimes that is true – but rarely. This latest exposure is interesting for being pretty normal. It’s caused by a simple misconfiguration of the back-end.
Microsoft Power Apps is one of many “low code” platforms which claim to allow you to build apps in hours rather than months. You can build multi-platform apps, including support for Android and iOS, using visual designers rather than complex code. Where calculations are required, you can express them using Excel-style formulae.
Whether this platform – and others of its type – is actually effective, is likely down to what kind of app you’re looking to create. You certainly couldn’t use it to create a game or a social network, for example, and anything which requires the device’s hardware (GPS, camera, etc) is likely to be tricky to wrangle. But it’s likely to be fairly effective for anything which can essentially be broken down to a spreadsheet.
The danger of Power Apps, though, is that building the security model for the data your app holds is just as complex as with any other platform. That is to say, really complex. It’s an exercise which typically takes us at least several days at the beginning of a project, and includes writing security rules to define who is allowed to read and write any individual piece of data which the system stores. It also includes writing tests to ensure that we’ve got the rules right; tests which are run regularly so as to alert us if any configuration change affects security.
The recent breach was not in any way caused by Power Apps itself. There was no malfunction, no in-built security flaw. Instead, the forty-seven different companies and government departments just configured it wrong, in a way which meant that their respective apps’ data was available for all to see.
This is not a problem unique to Power Apps of course. Any back end technology can be misconfigured in this way, including the many different parts of AWS and Azure, and our own favourite, Firebase. Firebase used to be insecure by default, and we have over time taken on several customers whose previous developers have left their apps’ data open to the world. (Firebase, to their credit, have changed this now. They force you to choose whether your data is open during development.)
But what’s different about Power Apps, and other low-code platforms like it, is that it has to work for beginners. It’s aimed at people who have never authored apps before. And so, if it were fully secure by default, its target audience would have a great struggle getting any data out. It’s not that Power Apps can’t be secured, it’s that doing so is significantly more complex than building the app in the first place.
So what’s the solution? Security is complex and needs careful consideration. Regardless of the platform you use to build your app, its security architecture is always best left to a professional.