Alpha Software Blog



Power Apps Security Breach: How Citizen Developers Build Apps Safely

Microsoft Power Apps security breachLow-code software is a powerful tool for quickly building professional apps and websites with a minimum of effort. But choosing the wrong tool can be disastrous --- witness the recent data breach of 38 million records being exposed online because of dangerous default security configurations built into Microsoft’s low-code tool, Power Apps.

Microsoft Power Apps Misconfiguration Exposes 38 Million Records

Microsoft Power Apps misconfiguration exposes 38 million records

Researchers for the security company UpGuard found that 47 government agencies and private businesses, including Microsoft itself, exposed 38 million sensitive data records online because they used Power App’s default configuration which allowed public access to the portals’ private records. UpGuard reports, “The types of data varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses.”

Among the businesses and agencies affected were American Airlines, Ford, the Maryland Department of Health, the New York City Transportation Authority, New York City school system, the state of Indiana, and many Microsoft portals, including the company’s Global Payroll Services portal, its Customer Insights Portal, and others.

Power Apps Default Configurations Make Data Accessible

American Airlines, Ford, the Maryland Department of Health, the New York City Transportation Authority were affected by the Microsoft Power Apps security breach

How could this have happened? The title of UpGuard’s blog about the breach says it all: “By Design: How Default Permissions on Microsoft Power Apps Exposed Millions.”

The problem was caused by the default configurations for Power Apps’ OData APIs, which make data accessible. You can configure the APIs to either make data publicly accessible to anyone or else require security authentication. By default, they were configured to allow public access.

The UpGuard blog post notes, “Among the examples of sensitive data exposed via OData APIs were three Power Apps portals used by American governmental entities to track COVID-19 tracing or vaccination and a portal with job applicant data including Social Security Numbers…these instances were examples of a broader pattern, with a significant number of Power Apps portals configured to allow anonymous access to lists and exposing PII [personally identifiable information] as a result.”

Should Citizen Developers Be Expected to Configure and Use APIs to Ensure Power Apps Security?

Hard to Do

Configuring and using the API is quite complex. The Microsoft documentation for doing it is confusing and very difficult to understand – so confusing that Microsoft itself couldn’t figure it out, because when the company built portals using Power Tools, it misconfigured the API to allow public access to the portals’ data. This is a high bar to expect citizen developers across the organization to be comfortable and experienced with.

Microsoft has since changed Power Apps’ OData APIs default configurations. But what happened should be a warning to anyone to make sure they use the best tools for building secure apps and portals.

These Security Risks Are On the Rise As Citizen Developers Build More Mobile Apps

red alert sirenMore citizen developers will be building apps this year and in the future. In fact, Gartner says, "on average, 41% of employees outside of IT – or business technologists – customize or build data or technology solutions". Gartner predicts that 50% of new low-code customers will live in business units outside the IT organization by the end of 2025.

It's imperative that companies select low-code software tools and low-code vendors with experience servicing non-developers and building tools for them that offer built-in security or training that guides citizen developers through the process of securing their apps.

Low-Code Software With Built-in Security to Protect Citizen Developers 

low code app security for citizen developersMore citizen developers will be building apps this year and in the future. In fact, Gartner says, "on average, 41% of employees outside of IT – or business technologists – customize or build data or technology solutions". Gartner predicts that 50% of new low-code customers will live in business units outside the IT organization by the end of 2025.

It's imperative that companies select low-code software tools and low-code vendors with experience servicing non-developers and building tools for them that offer built-in security or training that guides citizen developers through the process of securing their apps.

low code security Read about a great alternative to Power Apps for citizen development.

If you’re looking for a low-code platform with built-in security for citizen developers, look to Alpha TransForm. This solution for building secure mobile forms and secure portals includes enterprise-level security and pre-set configurations. While it's a no-code tool that citizen developers can easily work with, Alpha TransForm has the powerful security framework of Alpha Anywhere built in.

The framework includes comprehensive and robust application security that provides you with the tools you need to easily secure your sensitive data, protecting your business and its clients. There is a fully integrated login/logout component, data encryption with HMAC and SSL support, and other built in tools for enterprise mobile management. For particularly security-conscious organizations, Alpha Software products can also work on-premise; something Microsoft Power Apps cannot do. Learn More About the Alpha Software Security Framework.

 

Get Proven, Secure No-Code/Low-Code Software for Citizen Developers

Secure Apps Users Love

Alpha Software has worked with for more than 10 years to help enterprises build secure desktop, web, and mobile apps. The Company's award-winning no-code and low-code software products help developers become more productive and help citizen developers learn to build secure mobile apps for digital transformation.

Need secure, no-code software for citizen developers at your organization with less risk and a built security framework?  Take a free trial of Alpha TransForm today, and see how easily citizen developers can craft mobile apps with security built-in..

For organizations searching for secure, low-code software, developers can download and build apps for free with Alpha Anywhere Community Edition. As mentioned above, it has a comprehensive Security Framework built in.

Read what Gartner had to say about Alpha Anywhere vs. Power Apps.

View a comparison of Alpha Anywhere to Microsoft Power Apps. 

Further Reading: What To Know About Low-Code/No-Code Platform Security

low code mobile app security

Low-code and no-code development platforms are great tools for rapid software development, helping non-technical business experts and IT quickly write powerful, useful applications. But are they safe and secure — and what can be done to make sure they meet enterprise-level standards for security? Read the full article to learn what citizen developers need to know about low-code and no-code software security.

Related Reading: Power Apps Limitations

Power Apps is free...or is it?

Prev Post Image
Alpha Anywhere "Developer2Developer" Interview Series: Alex Collier
Next Post Image
Keep Your Schools COVID-Free with Screening Apps

About Author

Amy Groden-Morrison
Amy Groden-Morrison

Amy Groden-Morrison has served more than 15 years in marketing communications leadership roles at companies such as TIBCO Software, RSA Security and Ziff-Davis. Most recently she was responsible for developing marketing programs that helped achieve 30%+ annual growth rate for analytics products at a $1Bil, NASDAQ-listed business integration Software Company. Her past accomplishments include establishing the first co-branded technology program with CNN, launching an events company on the NYSE, rebranding a NASDAQ-listed company amid a crisis, and positioning and marketing a Boston-area startup for successful acquisition. Amy currently serves as a Healthbox Accelerator Program Mentor, Marketing Committee Lead for the MIT Enterprise Forum of Cambridge Launch Smart Clinics, and on the organizing team for Boston TechJam. She holds an MBA from Northeastern University.

Related Posts
Digital Transformation is Tough, but Worth It
Digital Transformation is Tough, but Worth It
Top Security Concerns for Low-code and No-code Development
Top Security Concerns for Low-code and No-code Development
The Abbreviated Guide to The Digital Data Chain
The Abbreviated Guide to The Digital Data Chain

The Alpha platform is the only unified mobile and web app development and deployment environment with distinct “no-code” and “low-code” components. Using the Alpha TransForm no-code product, business users and developers can take full advantage of all the capabilities of the smartphone to turn any form into a mobile app in minutes, and power users can add advanced app functionality with Alpha TransForm's built-in programming language. IT developers can use the Alpha Anywhere low-code environment to develop complex web or mobile business apps from scratch, integrate data with existing systems of record and workflows (including data collected via Alpha TransForm), and add additional security or authentication requirements to protect corporate data.

Comment