Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Thousands of Android Apps Leak Data Due to Firebase Misconfigurations

Comparitech security researchers have discovered that thousands of Android applications distributed through Google Play leak sensitive information due to Firebase misconfigurations.

Comparitech security researchers have discovered that thousands of Android applications distributed through Google Play leak sensitive information due to Firebase misconfigurations.

Launched in 2011, Firebase is a mobile app development platform that Google acquired in 2014. It can be used for authentication, hosting, cloud storage, analytics, messaging, and more.

Roughly 30% of all the applications in Google Play are believed to be using Google Firebase to store user data, but many of them are not properly secured. Overall, 4.8% of all mobile apps using Firebase are believed to be leaking personal information, access tokens, and other types of data.

After looking at 515,735 Android applications in Google Play, Comparitech’s researchers found 4,282 apps that leak sensitive information.

“If we extrapolate those figures, an estimated 0.83 percent of all Android apps on Google Play leak sensitive data through Firebase. That’s roughly 24,000 apps in total,” the researchers note.

The identified vulnerable applications have a combined download count of more than 4.22 billion. These figures, however, only include the download counts from Google Play, and not third-party application marketplaces.

Data exposed through these misconfigurations includes email addresses (Comparitech identified more than 7,000,000), usernames (over 4,400,000), passwords (more than 1,000,000), phone numbers (in excess of 5,300,000), full name (more than 18,300,000), chat messages (6,800,000+), GPS data (6,200,000+), IP addresses (156,000+), and street addresses (560,000+), among others.

The researchers also say that credit card numbers and photos of government-issued identification were also being exposed.

“Of the 155,066 Firebase apps analyzed, 11,730 had publicly exposed databases. 9,014 of them even included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it,” Comparitech says.

A cross-platform tool, Firebase is used on many operating systems and platforms, not just mobile, and the identified misconfigurations are believed to affect a much larger number of applications.

Google was alerted on the findings in late April and said it was reaching out to the affected developers to help them address the identified issues.

The problem, however, is not new. In 2018, Appthority identified over 3,000 Android and iOS applications that were leaking 100 million records (113 gigabytes of data) from Firebase databases.

Related: Thousands of Mobile Apps Leak Data from Firebase Databases

Related: Researchers Discover Hidden Behavior in Thousands of Android Apps

Related: Google Play Protect Scans 100 Billion Android Apps Daily

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.