Firebase: Thousands of apps leak user data

Firebase, Googles development platform for mobile, is used by hundreds of developers and thousands of apps – so it kind of is a big deal. And – thanks to being misconfigured – apparently also a great source for cybercriminals who want to siphon off user data.

Anyone who’s developing a new Android app, will most likely get in contact with Firebase. It offers basically everything from the all-important push notifications to cloud messaging, databases, analytics, advertisement, and more. Sounds great, right? But with great power comes great responsibility, something a lot of web developers apparently did not take all too seriously.

More than 3000 mobile apps are leaking data

Appthority’s security researchers deliver a shocking report: After half a year of research and scanning over 2.7 million mobile apps, they found out that 2446 Android and 600 iOS apps are saving data in databases that are misconfigured. What sounds like some minor issue is set into perspective by the more than 100 million user records that are being leaked because of it, in total a whopping amount of 113 gigabyte of data.

The information collected by the researchers includes data such as:

  • 2.6 million plaintext passwords and user IDs
  • 4 million+ PHI (Protected Health Information) records (chat messages and prescription details)
  • 25 million GPS location records
  • 50,000 financial records including banking, payment and Bitcoin transactions
  • 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens.

How can something like that happen? While Firebase offers the developers all these great services, it does not provide protection. The devs need to set it up themselves for whatever app they want to connect with the service. If done insufficiently (or not all) it seems to be very easy for anyone to get access to the data stored in the database: One just needs to add a “/.json” to the server URL according to the researchers, so a compromised API URL would look something like this: https://Random project name.firebaseio.com/.json

It’s likely you have one of those apps installed

According to the researchers no one is actually safe. The apps are spread over almost every category, including tools, productivity, health and fitness, communication, cryptocurrency, finance and business apps so it is very likely you have at least one of them on your smartphone. Even worse, most enterprises seem to be impacted as well: 62% of enterprises have at least one vulnerable app in their mobile environment.

Luckily Google informed the apps and servers that are leaking information. If taken seriously by its developers the issue should soon be taken care off and everyone’s data will be safe again.

This post is also available in: German

PR & Social Media Manager @ Avira |Gamer. Geek. Tech addict.