Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Thousands of Android Apps Leak Data Due to Firebase Misconfigurations

Comparitech security researchers have discovered that thousands of Android applications distributed through Google Play leak sensitive information due to Firebase misconfigurations.

Comparitech security researchers have discovered that thousands of Android applications distributed through Google Play leak sensitive information due to Firebase misconfigurations.

Launched in 2011, Firebase is a mobile app development platform that Google acquired in 2014. It can be used for authentication, hosting, cloud storage, analytics, messaging, and more.

Roughly 30% of all the applications in Google Play are believed to be using Google Firebase to store user data, but many of them are not properly secured. Overall, 4.8% of all mobile apps using Firebase are believed to be leaking personal information, access tokens, and other types of data.

After looking at 515,735 Android applications in Google Play, Comparitech’s researchers found 4,282 apps that leak sensitive information.

“If we extrapolate those figures, an estimated 0.83 percent of all Android apps on Google Play leak sensitive data through Firebase. That’s roughly 24,000 apps in total,” the researchers note.

The identified vulnerable applications have a combined download count of more than 4.22 billion. These figures, however, only include the download counts from Google Play, and not third-party application marketplaces.

Data exposed through these misconfigurations includes email addresses (Comparitech identified more than 7,000,000), usernames (over 4,400,000), passwords (more than 1,000,000), phone numbers (in excess of 5,300,000), full name (more than 18,300,000), chat messages (6,800,000+), GPS data (6,200,000+), IP addresses (156,000+), and street addresses (560,000+), among others.

The researchers also say that credit card numbers and photos of government-issued identification were also being exposed.

“Of the 155,066 Firebase apps analyzed, 11,730 had publicly exposed databases. 9,014 of them even included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it,” Comparitech says.

A cross-platform tool, Firebase is used on many operating systems and platforms, not just mobile, and the identified misconfigurations are believed to affect a much larger number of applications.

Google was alerted on the findings in late April and said it was reaching out to the affected developers to help them address the identified issues.

The problem, however, is not new. In 2018, Appthority identified over 3,000 Android and iOS applications that were leaking 100 million records (113 gigabytes of data) from Firebase databases.

Related: Thousands of Mobile Apps Leak Data from Firebase Databases

Related: Researchers Discover Hidden Behavior in Thousands of Android Apps

Related: Google Play Protect Scans 100 Billion Android Apps Daily

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.