New research from Comparitech claims that thousands of Android apps that use Google's cloud-hosted Firebase databases are inadvertently leaking sensitive information on their users, including their email addresses, usernames, passwords, telephone numbers, and chat messages due to the common misconfigurations of Firebase databases.
The report is a result of an investigation led by a Comparitech security research team in collaboration with cyber security expert Bob Diachenko. The team analyzed a sample of 515,735 Android apps from the Google Play store. Of these, 155,066 were using Firebase.
Firebase is an app development platform that helps users to develop apps quickly and securely. Firebase is used by an estimated 30 percent of all apps on the Google Play Store.
“4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users' personal information, access tokens, and other data without a password or any other authentication,” the research team said.
The vulnerable apps included mostly games, education, entertainment, and business apps that in total have been installed 4.22 billion times by Android users. “Given the average smartphone user has between 60 and 90 apps installed, the chances are high that an Android user’s privacy has been compromised by at least one app,” Comparitech pointed out.
The full contents of the database, spanning across 4,282 apps, included (but was not limited to):
-
Email addresses: 7,000,000+
-
Usernames: 4,400,000+
-
Passwords: 1,000,000+
-
Phone numbers: 5,300,000+
-
Full names: 18,300,000+
-
Chat messages: 6,800,000+
-
GPS data: 6,200,000+
-
IP addresses: 156,000+
-
Street addresses: 560,000+
Other data ranged from credit card numbers to photos of government-issued identification.
Of the 155,066 Firebase apps analyzed, 9,014 apps included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it.
In order to find the apps, which had publicly exposed databases, the research team first searched each app’s resources for strings of text indicating that Firebase is being used, such as those ending in “.firebaseio.com”. They then appended a request to the database URL with .json to get access to public databases via the Firebase REST API for stored data.
The researchers said they destroyed all the accessed data.
The research team notified Google of the issue in April, and the tech giant said it’s reaching out to affected developers to help resolve the problem.