Comparitech security researchers have discovered that thousands of Android applications distributed through Google Play leak sensitive information due to Firebase misconfigurations.
Launched in 2011, Firebase is a mobile app development platform that Google acquired in 2014. It can be used for authentication, hosting, cloud storage, analytics, messaging, and more.
Roughly 30% of all the applications in Google Play are believed to be using Google Firebase to store user data, but many of them are not properly secured. Overall, 4.8% of all mobile apps using Firebase are believed to be leaking personal information, access tokens, and other types of data.
After looking at 515,735 Android applications in Google Play, Comparitech’s researchers found 4,282 apps that leak sensitive information.
“If we extrapolate those figures, an estimated 0.83 percent of all Android apps on Google Play leak sensitive data through Firebase. That’s roughly 24,000 apps in total,” the researchers note.
The identified vulnerable applications have a combined download count of more than 4.22 billion. These figures, however, only include the download counts from Google Play, and not third-party application marketplaces.
Data exposed through these misconfigurations includes email addresses (Comparitech identified more than 7,000,000), usernames (over 4,400,000), passwords (more than 1,000,000), phone numbers (in excess of 5,300,000), full name (more than 18,300,000), chat messages (6,800,000+), GPS data (6,200,000+), IP addresses (156,000+), and street addresses (560,000+), among others.
The researchers also say that credit card numbers and photos of government-issued identification were also being exposed.
“Of the 155,066 Firebase apps analyzed, 11,730 had publicly exposed databases. 9,014 of them even included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it,” Comparitech says.
A cross-platform tool, Firebase is used on many operating systems and platforms, not just mobile, and the identified misconfigurations are believed to affect a much larger number of applications.
Google was alerted on the findings in late April and said it was reaching out to the affected developers to help them address the identified issues.
The problem, however, is not new. In 2018, Appthority identified over 3,000 Android and iOS applications that were leaking 100 million records (113 gigabytes of data) from Firebase databases.