Are your apps secure? We all depend on it

Hi Bubblers,

As some of you probably know, one way to test your app’s API requires looking at yourapp.com/api/1.1/meta in order to see what data and workflows are exposed. We do this often to test the security of our own apps. We decided to test a number of Bubble apps and websites and found there is definitely room for improvement in this area.

All in all, most apps expose certain data types and workflows. And when you go deeper in querying those data types (search) through API, either they do not expose any sensitive fields or due to privacy rules, you cannot retrieve any items in those data types. Those apps are indeed secured, at least on their data API side.

While Bubble gives all the tools and functionality to secure this aspect, our testing also showed a large number of Bubble apps and websites that are clearly misconfigured in terms of privacy and security, resulting in thousands of records containing Personally Identifiable Information that are externally exposed and fully accessible.

While this is a critical issue for those apps, it is also compromising the Bubble community and even the platform itself. As no code is still subject to skepticism, it remains a challenge for Bubble and Bubblers to convince users and clients about the legitimacy of the platform. This data negligence undermines this effort greatly.

So in a way, the more each Bubbler ensures their own app security, the more all Bubble apps (and Bubble) will appear as solid and secure.

As our (small) contribution to that, we built a tiny Bubble app, that we use also in our own process. This app can query your data and workflow API’s and gives you an overview of what is exposed, and what is searchable. Again, following what we said before, exposing certain data should not be seen automatically as a breach. However, this small tool can help you to quickly check if you forgot something :

http://apicheck.ideable.co/

Regarding security and privacy good practices, the Bubble manual remains a central reference, and this chapter specifically. And you might also find a bunch of very good discussions about it on this forum (here and here for example).

While knowing about privacy and security is one thing, we think that embedding those best practices into your regular building process is key. Here are some initial principles to keep in mind:

Start Early | When you set up initially an app and the data types structure, create your privacy rules. Those rules might change in the future as you may add other functionalities and even twist a bit your concept along the development path. Anyway, having this privacy rules already there will force you to edit/change them at one point, instead of having no rules at all.

We would propose to @Bubble to check the ‘Make new data types private by default’ by default in each app. Yes, it makes building on Bubble more complicated and less attractive to non-technical new users, but it saves potential security risks in the long run.

Revert from testing | For a lot of reasons, you may want to delete temporarily a privacy rule or avoid authentication for a specific endpoint. We all do that as you need sometimes to know if your workflow doesn’t work because of privacy rules you set up before. The problem is (and we fall into that too sometimes), you easily forget to revert the security/privacy back as you’re so happy that your workflow finally went through

Don’t mess with Users type | While all data types can contain sensitive fields and PII, the User data type contains initially ‘email’ and has a great probability to contain additional personal information. From there, you should always manipulate this data type privacy/security with caution. To refer to the previous point, privacy rules for Users MUST be set up from the start.

Happy to know your thoughts and your own tips on that

Thanks for the nice tool!

Yeah I have to agree. I Recently had the same trail of thought, and as painful as it would be initially to get just right in the development process, long term it would make things so much more secure and saves time.

Ignoring the Privacy Roles until the site is live just leaves things exposed and can easily be forgotten about, with possibly huge security risks as a result later in time. Then there is the trouble of having to go back and implement the Privacy Roles, which can mean a lot of re-testing, debugging and back peddling, making sure all data is accessible to certain users groups or objects and so on.

It would bring about a big change, something that needs to be versioned by Bubble, so that users will need to upgrade manually upon there timely choosing. At least it wouldn’t effect current data types, only ones created from that point onwards, so slightly more flexible then the previous version of ‘do a search for’ with ‘ignore empty constraints’.

Nice post and worthy of bringing to peoples attention. Wouldn’t wont any legal troubles later down the line.

Fantastic post and contribution. Thank you, @mattmazzega!

As I also explained in this request, the door is open with the swagger. Since I didn’t get an answer, I guess it’s in reflection. Good article btw.

Swagger exposure

> https://yoursite.com/api/1.1/meta/swagger

@mattmazzega really well done and incredibly informative. 100% agree with your position on Bubble security being a community issue. If a breach occurs, regardless of why, people will say, “O Bubble isn’t secure”.

Also, big thanks for putting together this tool. I think that’s probably the single best way to secure an app. In my real world example, I have an app that is preparing for its day in the light (going live).

I think(?) it’s secure… and plan to do more testing later but don’t have a clear path for this aside for reading the manual as you stated. Having a tool like this to test for vulnerabilities, then tell me what to do would be the most efficient way I can think of for the community as a whole to get more secure.

We have to bear in mind that Bubble’s goal is to help “non-coders” build apps. The learning curve of databases, responsiveness, APIs, workflows, etc. is steep enough without bringing security into it!

Back to my example… after using your security app, it found 2 potential issues. Having more information on whether or not these are in fact issues and more importantly what to do about them would be key. I imagine this is what other Bubblers are going through as well.

100% agree with your position regarding security being a community issue and your app in my opinion is a great place to start. I would be more than happy to help out in any way in this effort to help make the Bubble community more secure.

What a great little tool! Just ran my couple apps through and it looks like I’m okay so far

This is exactly the issue. When I first came to Bubble back in '16. I was enamored with what all could be done with it but every step in brought more questions that had to be answered.

OMG, look at the invoices I can create! I can even add new line items on demand! Oh, crap, I’m referencing all those product prices at the product level. If I change the product price its going to update the totals on all my invoices… how do I fix that?

And wait… do I put a company field on the invoice thing or a list of invoices on the company thing?

And what happens when someone tries to pay two invoices with one payment?

Yet somewhere in the midst of all the ruckus in my head, I kept seeing people referencing privacy rules. So I checked them out.

What the hell is this? I thought.

I could hardly comprehend a good way (much less the right way) for data to relate to data so a glance at the privacy rules was hardly more than me trying to autobind a field and Bubble saying I don’t have permissions.

Hell, I’ll fix that. EVERYONE can autobind ALL the fields of EVERY data type!

(a real image of my first ever foray into privacy rules )

image2502×342 29.1 KB

Eventually I did emerge from the mental fog of a no coder learning data structure and decided it was in my best interest to educate myself on using Privacy Rules.

No problem, lets search the forum…

It was then I discovered Privacy Rules are not sexy. The only people talking about them were people who already knew how to use them.

Beginners like me who asked questions about them received answers from people with the best of intentions but who simply couldn’t comprehend the absolute ground zero from which we were starting.

Plenty of people were teaching basics on how to toggle group visibility and make changes to things.

But no one was teaching Privacy Rules at a very basic, structural level.

I don’t think that has changed much. I’ve learned how to use them well by now, but I can only imagine there are a couple hundred thousand Bubblers out there who are right where I was a couple years ago.

Loving Bubble and what it can do but without any idea what they are even supposed to do to make their app secure.

Maybe we can change that…

Thanks for the insightful comment. I think this is exactly Bubble’s dilemma, especially now that they focus on founders and non-technical startups more than ever since the funding.

They want to keep Bubble accessible and privacy rules are totally not beginner friendly. However, in the long run it can cause serious issues when apps and website with high exposure and recognizable names are exposed in a bad way.

It will be on Bubble and boomerang back to everyone building on Bubble.

To you question specifically, one of the important rules is: are you exposing Personally Identifiable Information (PII)? You have to be really careful and be completely clear in your privacy policy and terms of service that you are in fact exposing PII to the outside world.

Hi @mattmazzega

Thank you for developing the api check: https://apicheck.ideable.co/

It’s a solid sanity check to ensure that you don’t have unwanted APIs exposed!

Thank you,
G

Thanks @gilles ,

Happy to hear that you found it useful
We are currently working on a wider project, derivated from this, that will help bubblers assess and organize their app development. Will be happy to ping you for the beta test phase if you’re interested !

Hi @mattmazzega,

Yeah, please include me in the beta. Thanks for helping out our bubbler community with your tools!

Hello @mattmazzega, I don’t know if you are looking more testers but I am interested too !

Great info and tools! Thanks for sharing @mattmazzega!

@jcalvarezjr Thanks!

Hi @atoamsh,

Do you have any idea of the cost to do these tests?

Thanks

Interested. If possible please keep me in the info loop on this. Thanks!

We posted the first check tool exactly two years ago, and almost 3K apps have been tested in that time. We thought it was time for an update

The new and improved audit tool can be found here: [Micro App] Audit your Bubble App and Keep it Safe!