Low-code software is a powerful tool for quickly building professional apps and websites with a minimum of effort. But choosing the wrong tool can be disastrous --- witness the recent data breach of 38 million records being exposed online because of dangerous default security configurations built into Microsoft’s low-code tool, Power Apps.
Microsoft Power Apps Misconfiguration Exposes 38 Million Records
Researchers for the security company UpGuard found that 47 government agencies and private businesses, including Microsoft itself, exposed 38 million sensitive data records online because they used Power App’s default configuration which allowed public access to the portals’ private records. UpGuard reports, “The types of data varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses.”
Among the businesses and agencies affected were American Airlines, Ford, the Maryland Department of Health, the New York City Transportation Authority, New York City school system, the state of Indiana, and many Microsoft portals, including the company’s Global Payroll Services portal, its Customer Insights Portal, and others.
Power Apps Default Configurations Make Data Accessible
How could this have happened? The title of UpGuard’s blog about the breach says it all: “By Design: How Default Permissions on Microsoft Power Apps Exposed Millions.”
The problem was caused by the default configurations for Power Apps’ OData APIs, which make data accessible. You can configure the APIs to either make data publicly accessible to anyone or else require security authentication. By default, they were configured to allow public access.
The UpGuard blog post notes, “Among the examples of sensitive data exposed via OData APIs were three Power Apps portals used by American governmental entities to track COVID-19 tracing or vaccination and a portal with job applicant data including Social Security Numbers…these instances were examples of a broader pattern, with a significant number of Power Apps portals configured to allow anonymous access to lists and exposing PII [personally identifiable information] as a result.”
Should Citizen Developers Be Expected to Configure and Use APIs to Ensure Power Apps Security?
Configuring and using the API is quite complex. The Microsoft documentation for doing it is confusing and very difficult to understand – so confusing that Microsoft itself couldn’t figure it out, because when the company built portals using Power Tools, it misconfigured the API to allow public access to the portals’ data. This is a high bar to expect citizen developers across the organization to be comfortable and experienced with.
Microsoft has since changed Power Apps’ OData APIs default configurations. But what happened should be a warning to anyone to make sure they use the best tools for building secure apps and portals.
These Security Risks Are On the Rise As Citizen Developers Build More Mobile Apps
More citizen developers will be building apps this year and in the future. In fact, Gartner says, "on average, 41% of employees outside of IT – or business technologists – customize or build data or technology solutions". Gartner predicts that 50% of new low-code customers will live in business units outside the IT organization by the end of 2025.
It's imperative that companies select low-code software tools and low-code vendors with experience servicing non-developers and building tools for them that offer built-in security or training that guides citizen developers through the process of securing their apps.
Low-Code Software With Built-in Security to Protect Citizen Developers
More citizen developers will be building apps this year and in the future. In fact, Gartner says, "on average, 41% of employees outside of IT – or business technologists – customize or build data or technology solutions". Gartner predicts that 50% of new low-code customers will live in business units outside the IT organization by the end of 2025.
It's imperative that companies select low-code software tools and low-code vendors with experience servicing non-developers and building tools for them that offer built-in security or training that guides citizen developers through the process of securing their apps.
Read about a great alternative to Power Apps for citizen development.
If you’re looking for a low-code platform with built-in security for citizen developers, look to Alpha TransForm. This solution for building secure mobile forms and secure portals includes enterprise-level security and pre-set configurations. While it's a no-code tool that citizen developers can easily work with, Alpha TransForm has the powerful security framework of Alpha Anywhere built in.
The framework includes comprehensive and robust application security that provides you with the tools you need to easily secure your sensitive data, protecting your business and its clients. There is a fully integrated login/logout component, data encryption with HMAC and SSL support, and other built in tools for enterprise mobile management. For particularly security-conscious organizations, Alpha Software products can also work on-premise; something Microsoft Power Apps cannot do. Learn More About the Alpha Software Security Framework.
Get Proven, Secure No-Code/Low-Code Software for Citizen Developers
Alpha Software has worked with for more than 10 years to help enterprises build secure desktop, web, and mobile apps. The Company's award-winning no-code and low-code software products help developers become more productive and help citizen developers learn to build secure mobile apps for digital transformation.
Need secure, no-code software for citizen developers at your organization with less risk and a built security framework? Get a free license of Alpha TransForm today, and see how easily citizen developers can craft mobile apps with security built-in..
For organizations searching for secure, low-code software, developers can download and build apps for free with Alpha Anywhere Community Edition. As mentioned above, it has a comprehensive Security Framework built in.
Read what Gartner had to say about Alpha Anywhere vs. Power Apps.
View a comparison of Alpha Anywhere to Microsoft Power Apps.
Further Reading: What To Know About Low-Code/No-Code Platform Security
Low-code and no-code development platforms are great tools for rapid software development, helping non-technical business experts and IT quickly write powerful, useful applications. But are they safe and secure — and what can be done to make sure they meet enterprise-level standards for security? Read the full article to learn what citizen developers need to know about low-code and no-code software security.
Comment