Misconfigured Database exposed thousands of GB’s worth of sensitive user information via Mobile apps
- Salman Ahmed
- June 29th, 2018
Mobile security firm Appthority recently released a report, revealing that Android and iOS apps are leaking sensitive user data through misconfigured Firebase databases.
Firebase is a BaaS (Backend-as-a-service) offered by Google that facilitates mobile developers to create and design web and mobile apps. The service is widely used by Android developers who use it to add a host backends and APIs into their web or mobile-based projects.
Researchers at Appthority began scanning Android and iOS apps based on Firebase systems this January. Special attention was dedicated to those apps that particularly used JSON URLs from Firebase. These URLs were found to expose an app’s data to any unauthorized user when accessed directly.
Appthority researchers scanned about 2.7 million Android and iOS apps and identified a total of 28,502 apps on iOS and Android combined which used Firebase backends. The scan revealed an alarming number of 3,046 apps in total using 2,271 misconfigured Firebase databases, exposing sensitive data to third parties.
The total sum of data exposed through these databases is 100 million records. This leaked data is worth more than 113 GBs consisting of a variety of sensitive user information. This includes information such as:
According to Appthority, Android apps using misconfigured Firebase databases have been downloaded more than 620 million times through the PlayStore itself. This alarming statistic suggests that quite a few of these apps are popular among users.
Appthority states that it has informed Google about this problem before. The security firm previously found last year that app back servers have been leaking important user information. As much as 43 TBs of user data via backend servers of MySQL and others was found exposed.
In addition, the firm uncovered evidence that dozens of developers had left API credentials in apps based on Twilio service. This led to the leak of text messages and call recordings of customers.
The reveal in this report clearly shows that developers are either negligent in their practices or are simply unaware of the various ways in which user data can be leaked. Nonetheless, this report is a wake-up call for both iOS and Android developers and highlights the importance of using database configurations that prevent against such mass leakage of user data.