Misconfigured Database exposed thousands of GB’s worth of sensitive user information via Mobile apps

Mobile security firm Appthority recently released a report, revealing that Android and iOS apps are leaking sensitive user data through misconfigured Firebase databases.

Firebase is a BaaS (Backend-as-a-service) offered by Google that facilitates mobile developers to create and design web and mobile apps. The service is widely used by Android developers who use it to add a host backends and APIs into their web or mobile-based projects.

Appthority’s big reveal

Researchers at Appthority began scanning Android and iOS apps based on Firebase systems this January. Special attention was dedicated to those apps that particularly used JSON URLs from Firebase. These URLs were found to expose an app’s data to any unauthorized user when accessed directly.

Appthority researchers scanned about 2.7 million Android and iOS apps and identified a total of 28,502 apps on iOS and Android combined which used Firebase backends. The scan revealed an alarming number of 3,046 apps in total using 2,271 misconfigured Firebase databases, exposing sensitive data to third parties.

The total sum of data exposed through these databases is 100 million records. This leaked data is worth more than 113 GBs consisting of a variety of sensitive user information. This includes information such as:

  • 5 million LinkedIn, Firebase, Facebook, and corporate data
  • 25 million records of GPS location
  • 6 million user IDs and plaintext passwords
  • 50 thousand financial records including bitcoin, banking, and payment
  • 4 million Protected Health Information records including prescription details


According to Appthority, Android apps using misconfigured Firebase databases have been downloaded more than 620 million times through the PlayStore itself. This alarming statistic suggests that quite a few of these apps are popular among users.

Appthority has communicated its findings to Google before

Appthority states that it has informed Google about this problem before. The security firm previously found last year that app back servers have been leaking important user information. As much as 43 TBs of user data via backend servers of MySQL and others was found exposed.

In addition, the firm uncovered evidence that dozens of developers had left API credentials in apps based on Twilio service. This led to the leak of text messages and call recordings of customers.

The reveal in this report clearly shows that developers are either negligent in their practices or are simply unaware of the various ways in which user data can be leaked. Nonetheless, this report is a wake-up call for both iOS and Android developers and highlights the importance of using database configurations that prevent against such mass leakage of user data.

Salman Ahmed's Biography

Salman Ahmed Siddiqui is a passionate writer who loves to write about online privacy, crypto economy and trending technological developments. He loves to provide effective tips and guideline related to rising cyber challenges. When he is not writing, Salman watches Manchester United play and demonstrates his love for football with his mad FIFA skills.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *