Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Thousands of Android Apps Leak Data Due to Firebase Misconfigurations

Comparitech security researchers have discovered that thousands of Android applications distributed through Google Play leak sensitive information due to Firebase misconfigurations.

Comparitech security researchers have discovered that thousands of Android applications distributed through Google Play leak sensitive information due to Firebase misconfigurations.

Launched in 2011, Firebase is a mobile app development platform that Google acquired in 2014. It can be used for authentication, hosting, cloud storage, analytics, messaging, and more.

Roughly 30% of all the applications in Google Play are believed to be using Google Firebase to store user data, but many of them are not properly secured. Overall, 4.8% of all mobile apps using Firebase are believed to be leaking personal information, access tokens, and other types of data.

After looking at 515,735 Android applications in Google Play, Comparitech’s researchers found 4,282 apps that leak sensitive information.

“If we extrapolate those figures, an estimated 0.83 percent of all Android apps on Google Play leak sensitive data through Firebase. That’s roughly 24,000 apps in total,” the researchers note.

The identified vulnerable applications have a combined download count of more than 4.22 billion. These figures, however, only include the download counts from Google Play, and not third-party application marketplaces.

Data exposed through these misconfigurations includes email addresses (Comparitech identified more than 7,000,000), usernames (over 4,400,000), passwords (more than 1,000,000), phone numbers (in excess of 5,300,000), full name (more than 18,300,000), chat messages (6,800,000+), GPS data (6,200,000+), IP addresses (156,000+), and street addresses (560,000+), among others.

The researchers also say that credit card numbers and photos of government-issued identification were also being exposed.

Advertisement. Scroll to continue reading.

“Of the 155,066 Firebase apps analyzed, 11,730 had publicly exposed databases. 9,014 of them even included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it,” Comparitech says.

A cross-platform tool, Firebase is used on many operating systems and platforms, not just mobile, and the identified misconfigurations are believed to affect a much larger number of applications.

Google was alerted on the findings in late April and said it was reaching out to the affected developers to help them address the identified issues.

The problem, however, is not new. In 2018, Appthority identified over 3,000 Android and iOS applications that were leaking 100 million records (113 gigabytes of data) from Firebase databases.

Related: Thousands of Mobile Apps Leak Data from Firebase Databases

Related: Researchers Discover Hidden Behavior in Thousands of Android Apps

Related: Google Play Protect Scans 100 Billion Android Apps Daily

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...