{"id":896,"date":"2020-05-12T20:16:25","date_gmt":"2020-05-12T19:16:25","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=896"},"modified":"2020-05-12T20:16:25","modified_gmt":"2020-05-12T19:16:25","slug":"4000-android-apps-expose-users-data-via-misconfigured-firebase-databases","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/4000-android-apps-expose-users-data-via-misconfigured-firebase-databases\/","title":{"rendered":"Over 4000 Android Apps Expose Users&#8217; Data via Misconfigured Firebase Databases"},"content":{"rendered":"<p>More than 4,000 Android apps that use Google&#8217;s cloud-hosted Firebase databases are &#8216;unknowingly&#8217; leaking sensitive information on their users,<\/p>\n<h5>including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data. Firebase<\/p>\n<p>The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech,<\/h5>\n<h5>is the result of an analysis of 15,735 Android apps, Firebase<\/h5>\n<p>which comprise about 18 percent of all apps on Google Play store.<\/p>\n<p>&#8220;4.8 percent of mobile apps using Google Firebase to store user data are not properly secured,<\/p>\n<p>allowing anyone to access databases containing users&#8217; personal information, access tokens,<\/p>\n<p>and other data without a password or any other authentication,&#8221;\u00a0Comparitech\u00a0said.<\/p>\n<div class=\"ad_two clear\">Acquired by Google in 2014,<\/div>\n<div class=\"ad_two clear\">Firebase\u00a0is a popular mobile application development platform that offers a variety of tools to help third-party app developers build apps,<\/div>\n<p class=\"ad_two clear\">securely store app data and files, fix issues, and even engage with users via in-app messaging features.<\/p>\n<p>With the vulnerable apps in question Firebase<\/p>\n<div class=\"ad_two clear\">\u2014 mostly spanning games, education, entertainment, and business categories<\/div>\n<div class=\"ad_two clear\">\u2014 installed 4.22 billion times by Android users, Comparitech said:<\/div>\n<div class=\"ad_two clear\">&#8220;the chances are high that an Android user&#8217;s privacy has been compromised by at least one app.&#8221;<\/p>\n<p>Given that Firebase is a cross-platform tool, the researchers also warned that the misconfigurations are likely to impact iOS and web apps as well.<\/p>\n<p>The full contents of the database, spanning across 4,282 apps, included:<\/p>\n<ul>\n<li>Email addresses: 7,000,000+<\/li>\n<li>Usernames: 4,400,000+<\/li>\n<li>Passwords: 1,000,000+<\/li>\n<li>Phone numbers: 5,300,000+<\/li>\n<li>Full names: 18,300,000+<\/li>\n<li>Chat messages: 6,800,000+<\/li>\n<li>GPS data: 6,200,000+<\/li>\n<li>IP addresses: 156,000+<\/li>\n<li>Street addresses: 560,000+<\/li>\n<\/ul>\n<p>Diachenko found the exposed databases using known Firebase&#8217;s\u00a0<a href=\"https:\/\/firebase.google.com\/docs\/reference\/rest\/database\" target=\"_blank\" rel=\"noopener noreferrer\">REST API<\/a>\u00a0that&#8217;s used to access data stored on unprotected instances,<\/div>\n<div class=\"ad_two clear\">retrieved in JSON format, by simply suffixing &#8220;\/.json&#8221; to a database URL (e.g. &#8220;https:\/\/~project_id~.firebaseio.com\/.json&#8221;).<\/p>\n<div class=\"separator\"><a href=\"https:\/\/thehackernews.com\/images\/-JLAt1oCLYKI\/Xrp40r2UsaI\/AAAAAAAAAU8\/dg8Pg-GePiUK3VwPbB_fDLZVtv9R-ykewCLcBGAsYHQ\/s728-e100\/firebase-database-security.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" title=\"firebase database security\" src=\"https:\/\/thehackernews.com\/images\/-JLAt1oCLYKI\/Xrp40r2UsaI\/AAAAAAAAAU8\/dg8Pg-GePiUK3VwPbB_fDLZVtv9R-ykewCLcBGAsYHQ\/s728-e100\/firebase-database-security.jpg\" alt=\"Firebase\" width=\"728\" height=\"378\" border=\"0\" data-original-height=\"378\" data-original-width=\"728\" \/><\/a><\/div>\n<p>Aside from 155,066 apps having publicly exposed databases,<\/p><\/div>\n<div class=\"ad_two clear\">the researchers found 9,014 apps with write permissions, thus potentially allowing an attacker to inject malicious data and corrupt the database, and even spread malware.<\/p>\n<p>Complicating the matter further is the indexing of Firebase database URLs by search engines such as Bing,<\/p><\/div>\n<div class=\"ad_two clear\">which exposes the vulnerable endpoints for anyone on the Internet. A Google search, however, returns no results.<\/p>\n<p>After Google was notified of the findings on April 22, the search giant said it&#8217;s reaching out to affected developers to patch the issues.<\/p>\n<p>This is not the first time exposed Firebase databases have leaked personal information.<\/p><\/div>\n<div class=\"ad_two clear\">Researchers from mobile security firm\u00a0Appthority\u00a0found a similar case two years ago, resulting in the exposure of 100 million data records.<\/p>\n<p>Leaving a database exposed without any authentication is an open invitation for bad actors.<\/p><\/div>\n<div class=\"ad_two clear\">It is therefore recommended that app developers adhere to Firebase database rules to secure data and prevent unauthorized access.<\/p>\n<p>Users, for their part, are urged to stick to only trusted apps and be cautious about the information that&#8217;s shared with an application.<\/p><\/div>\n<div><\/div>\n<div>You May Also Like to read:<\/div>\n<div><a href=\"http:\/\/zerothcode.com\/blog\/hackers-can-silently-control-google-home-alexa-siri-laser-light\/\">http:\/\/zerothcode.com\/blog\/hackers-can-silently-control-google-home-alexa-siri-laser-light\/<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>More than 4,000 Android apps that use Google&#8217;s cloud-hosted Firebase databases are &#8216;unknowingly&#8217; leaking sensitive information on their users, including<\/p>\n","protected":false},"author":1,"featured_media":897,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[],"yst_prominent_words":[1351,160,1340,1348,307,1347,171,209,1342,253,1349,1341,1350,1344,1346,265,261,921,1345,170],"class_list":["post-896","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/896","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=896"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/896\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/897"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=896"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}