May 20, 2020

4,000 Android apps on Google Play Expose User Data

Firebase is a 2011 product of both mobile and web applications by Firebase, Inc. It was later purchased by Google in 2014.

The Firebase provides various server analytics, authentication, databases, setup, file storage, push messaging and more. Many of these services are stored in the cloud and can be conveniently used.

More than 30 percent of all applications in the Google Play Store use firebase services

Misconfigurations on Google Firebase

Comparitech ‘s security researchers found that 4.8 per cent of mobile applications that use Google Firebase to store data are not properly protected.

The misconfiguration allows anyone “to access databases that contain personal information about users, access tokens, and other data without a password or any other authentication.”

4,282 apps leaking sensitive information in the examined 515,735 Android apps on Google play, according to Comparitech’s security research team.

The misconfigured apps found by Android users to have been installed 4.22 billion times. Using such apps could put user privacy at risk.

Screenshot Capture - 2020-05-14 - 11-51-45

Following are some of the exposed data

  • E-mail addresses: 7,000,000+
  • Usernames: 4,400,000+
  • Passwords: 1,000,000+
  • Phone numbers: 5,300,000+
  • Full Name: 18,300,000+
  • Chat messages: 6,800,000+
  • GPS data: 6,200,000+
  • IP addresses: 156,000+
  • Street addresses: 560,000+

Screenshot Capture - 2020-05-14 - 11-52-16

Games related apps find weak in contrast to other apps in the group.

Screenshot Capture - 2020-05-14 - 11-52-54

“Of the 155,066 examined Firebase applications, 11,730 had the databases open to the public. 9,014 of them have received permission to publish, “the blog post reads.

By letting the user write permissions, false news can be injected, malware spread and the application database compromised.

Of the 11,730 apps revealed, 4,282 user details leaked out. These insecure URLs in the database were found to be indexed by other search engines such as Bing.

The vulnerability reported to Google on April 22, a Google spokesperson said “Firebase provides a number of features that help our developers configure their deployments securely. We provide notifications to developers about potential misconfigurations in their deployments and offer recommendations for correcting them. We are reaching out to affected developers to help them address these issues.”

Leave a Reply

Your email address will not be published. Required fields are marked *