šŸŽ‰ Introducing the most advanced security platform for Bubble for free (Bubble App Audit)

Hey Bubble community! :wave:

Well this is a fun one. Iā€™m excited to announce the release of NQU Secure - the most advanced security audit platform in the Bubble ecosystem. And itā€™s completely free.

But hang on, didnā€™t Bubble just acquire Flusk? Yeah, but I felt that more could be done to vet app security, and thereā€™s a need for third party security review in the ecosystem as a whole.

This is not a micro-tool - it produces deeper, more insightful analysis than any existing Bubble security tools.

Oh - one more thing? Itā€™s built on Bubble!

Why NQU Secure is best-in-class:

  • The most powerful audit engine ā€“ Context-aware analysis that understands your appā€™s purpose, detailed explanations, and exportable reports
  • Advanced privacy testing ā€“ Test data access between user types, not just for logged-out users.
  • Infinite editor version control ā€“ Unlimited version backups with automated scheduling. Free, on all Bubble plans.
  • Complete data backup solution ā€“ 6 months retention of database, logs, and file manager backups (generously powered by PlanB Backups by @lindsay_knowcode).
  • Fast and easy to understand - NQU Secure runs fast, and has a simple, clean UI that makes it easy for you to run audits on different apps.

View your appā€™s results summary with no signup required. Try it now at https://secure.notquiteunicorns.xyz

Itā€™s free. No credit card. No premium tier. (We havenā€™t even integrated a payment gateway!)

Happy building! :rocket:

FAQ

How is NQU Secure free?

NQU Secure is created and maintained by Not Quite Unicorns agency. The free security platform allows us to demonstrate our expertise while giving back to the Bubble community. Revenue from our agency services funds the platformā€™s development and maintenance.

Will it be free forever? I donā€™t know - it depends on how expensive it gets. But Iā€™ll do everything I can to keep it free.

Do I need to provide collaborator access?

No! NQU Secure can perform comprehensive security audits without requiring editor or collaborator access.

Can I audit any app?

No! To view the full audit results, youā€™ll need to verify your ownership of the app. This can be done in several ways:

  • Inviting NQU Secure as a collaborator
  • Adding a test page
  • Adding an HTML header

This verification requirement exists because NQU Secureā€™s advanced capabilities need to be used responsibly by legitimate app owners and developers.

How is my data handled?
  • All app data is stored within Bubble
  • We use LLMs for certain security checks, but your data is never used for training
  • Security checks are performed on our self-hosted servers
  • Primary data processors are:
    • Bubble
    • Google Cloud
    • OpenRouter
    • OpenAI


Any feedback or thoughts? Let me know below :slight_smile:

45 Likes

yah - I am first :slight_smile: I was always a fan of Flusk, but I am more of a fan of NQUSecure - It should come with a warning - you will find new vulnerabilities that will disrupt your planned day as you scurry to fix them. :slight_smile:

Being able to test with real Users logged is vital - for privilege escalation exploits.

11 Likes

A few particular thank yous from the community:

And, if youā€™re getting FOMO, thereā€™ll be more bugs so you can help me help the community by reporting them too :grin: False positives are more common than false negatives by design, but if you encounter anything you think shouldnā€™t be classed as an issue, then do use the flag feature to let ue know so we can improve it.

11 Likes

Congrats on the launch @georgecollier!

Itā€™s a slick product and is going to be a massive win for the wider Bubble community.

4 Likes

Oh, Iā€™ll be doing an AMA on the Codeless Love Slack tomorrow (Wednesday) if anyone wants to drop by and chat about building maintainable, scaleable, and secure apps on Bubble! Link: Slack

2 Likes

Just want to add - zero affiliation to @georgecollier, but this is genuinely one of the coolest Bubble apps that Iā€™ve seen to date. From onboarding experience, to the dashboard UI, through to the ease of use, this is a brilliant tool and Iā€™d highly recommend to all.

Congrats on the launch :tada:

1 Like

Iā€™m glad it was compelling enough to encourage you to reply after a year away from the forum :rofl:

Thank you for the encouragement :slight_smile:

I had a few priorities:

  • easy to use, and understand
  • fast UI, quick setup
  • make it the most accurate audit in the ecosystem
  • while Iā€™m there, throw in the nice to haves like infinite backups
1 Like

haha - Iā€™m a daily Bubble user that never contributes to the forumā€¦ until now!

1 Like

Okay time-to-value was 3 minutes. What a great tool. Already using the results.

1 Like

You all are going to bankrupt me with the amount of WU notifications Iā€™m getting :rofl: If any of you want to share screenshots of example results so people can see what to expect then Iā€™m sure itā€™d be appreciated!

2 Likes

This is SO AMAZING @georgecollier.

  • The breadth of the tests.
  • Itā€™s simplicity and UX.
  • The careful handling applied to the results given.
  • And that itā€™s free to use.

This is one of, if not the best, contributions that I have seen to the Bubble community. If you have a platform in production, you must must must scan it with this tool.

Side note, we cannot believe that API Connector initialisation response data is publicly available.

5 Likes

One of the things Iā€™m pushing for Bubble to do - automatically sanitise the response sample values.

In case anyone reading didnā€™t know, when you initialise an API call, the response data is saved to your app code which the user can see. In actuality, Bubbleā€™s engine only needs the type data (is this field a number/boolean/text etc), but it saves the entire sample value. If, then, you initialise an API call and the API returns customer data, thatā€™s now in your app code.

6 Likes

Awesome work @georgecollier, this is such a powerful tool and thank you for offering it free for our community!

1 Like

Amazing work @georgecollier ! When is Bubble going to hire you??

I ran my app - at first I was scared that the report said it was leaking API keys, but it just turned out to be test Stripe user accounts. Though it does leave me wondering why Bubble leaves so much of that API connector info open

1 Like

Awesome job on this. Very few people know about the API responses not being sanitized, hopefully this awareness leads Bubble to make changes around how these responses are displayed. We should be able to make the field names private too, ideally. There is one more very esoteric exploit that Iā€™m going to DM you to include that I donā€™t believe is checked by you.

Can we do a full-delete of all audited data? Meaning thereā€™s zero trace it was ever ran?

Also, itā€™s good that youā€™re hiding the details behind a verification wall as otherwise this would be legally very dubious, but can we as verified app owners also submit a request to prevent checks from running? Right now any competitor or investor can collect a non-trivial information about an app. This could present with serious legal consequences down the line, which would be not a good thing for the community as I believe this app is a net good.

2 Likes

You can delete your account or just an appā€™s data (though that has Bubbleā€™s normal deletion limit where I could technically restore the DB for 30 days).

I hadnā€™t thought about checking it but can add it today probably. Iā€™m going to be adding more of Bubbleā€™s quirky exploits that nobody checks for. Iā€™ll probably need a filter on the audit review page that allows you to filter issues by obscurity so that you can prioritise the easy/obvious issues, and then work on the ones that are still absolutely issues but more complex for an attacker to take advantage of (though not ā€˜difficultā€™).

How do you mean?

Currently, you can scan an app on the homepage. This will return a summary (number of issues by severity). However, this will be blocked if the app is already verified by someone in NQU Secure. So, if youā€™ve added and verified ownership of your app, nobody else will be able to view the audit summary for that.

And of course, I had the back and forth in my mind of whether even a summary was okay, but I felt that without it people wouldnā€™t be bothered to even try it as they assume their apps are secure and the ultimate goal should be to get as many people to view their full audit as possible as thatā€™ll lead to the greatest good.

And net good really is the priority. @lindsay_knowcode is generously providing database/log/file backup with PlanB for free for NQU Secure uses. However, that requires Data API access. So, before using it, we require users to run an audit and get passes for every privacy rule check, because we donā€™t want people with bad privacy rules enabling their data API just for backups!

4 Likes

:ok_hand:

Itā€™s a real and serious risk. Unless a company has given you permission for this you could land in serious legal trouble. Especially when youā€™re labeling issues as ā€œcriticalā€ etc. Even the summary itself is problematic.

Legal issues notwithstanding, it would theoretically be a perfect tool for hackers to increase the yield of attacks by looking at the summary view before diving in.

I donā€™t think the increased growth from having a short time to value is worth the long-term risk of the instant summary view, both for your tool/agency as well as your relationship to Bubble.

Thanks for flagging. I had to change the model we use for any AI enhanced checks because it was costing hundreds a day as more people were using it than I expected so Iā€™m still dialling this in, but we do more false positives than false negatives. This will only improve in future as I adjust the classification logic and models become more powerful for cheaper. Obviously thereā€™s a future option to lock some high powered/extra accurate models behind a paywall that funds it (on a large app, an audit can cost about $1.50 in AI and WU with GPT-4o/Claude 3.5 Sonnet) but Iā€™d like to avoid that if possible.

Not quite, for a few reasons:

  • the security density (or vulnerability density) of an application is measured by the number of issues per unit of code size. Therefore, a large application with X critical issues may actually have a better security density than a smaller application with the same number of issues, since the issues are spread across a larger codebase. So, the number of issues alone isnā€™t particularly interesting
  • itā€™s dead easy to scan for some of the issues we check, including:
    • editor access permissions
    • password policy
    • leaking API keys
  • thatā€™s because all of the above are all in the app object thatā€™s present on any Bubble appā€™s page. Itā€™s trivial to load the page, return the object, and do a tiny bit of automated analysis to fix that.
  • if an app has lots of ā€˜majorā€™ issues, thereā€™s no hint as to where those are coming from. Chances are if it has plenty of major / critical issues, it has a ton of exploitable backend workflows that an attacker can find anyway, perhaps some leaky data API endpoints, etc. So, given itā€™s so easy to exploit already, better the owner can actually realise that.

Donā€™t forget that Bubbleā€™s own tool, Flusk, runs their privacy checker on any app in the same way, and that returns real (though partially redacted) user data. I think what Iā€™ve added is probably much less risky :slight_smile:

Oh, and I hate to break it to you, but your site is already being analysed by hundreds of bots, crawlers, and AIs :grin:

3 Likes

Nothing about your tool is trivial, or it wouldnā€™t have taken months to build it. You are representing a legal entity, not an anonymous Chinese scraping bot network. The core of your arguments is ā€œother people are doing it too.ā€ Wonā€™t hold up in court. Feel free to disregard my advice at your own peril, Iā€™m giving it to you for your own good, it doesnā€™t affect me personally either way.

1 Like

Thank you for your advice :slight_smile:

Anyway:

I did have an auto-fix built out for this (a one-click fix that fixes it in your editor automatically by cleaning all sample values). However, I didnā€™t release it widely as while developing it I managed to brick my test app to the extent that not even the editor would load to restore from a backup. I had to fix it by unbricking it directly via writing to the App JSON. Powerful yes, fragile, also yes, and I donā€™t want people using it on production apps!

1 Like