PrivacyTech NewsTrending

About 4,000 Android Apps Exposes Customers Data: Misconfigured Database

Security researchers in the analysis found that more than 4,000 Android apps that are using Google cloud-hosted Firebase are unknowingly exposing users to sensitive information including usernames, passwords, full name, chat messages, and phone numbers.

Firebase is a mobile and web application development platform that was developed by Firebase in 2011 and acquired by Google in 2014. The platform helps third party developers by offering a variety of tools to build apps, securely store app data and files, engage with users through messaging features.

The security team that leads by Bob Diachenko from Security Discovery with Comparitech had examined over 515,735 Android apps from Play Store.

Android-database-exposed-firebase

More than 4,282 Android apps were leaking sensitive data, that is an estimate of 0.83% of all applications from Google Play leak sensitive data through Firebase.

Comparitech said

Firebase is a cross-platform tool used across several operating systems and platforms, researchers also said that the misconfiguration also impacts Android, IOS as well as web apps.

Firebase Exposed data 

The exposed data includes:

  • E-mail addresses: 7,000,000+
  • Usernames: 4,400,000+
  • Passwords: 1,000,000+
  • Phone numbers: 5,300,000+
  • Full Name: 18,300,000+
  • Chat messages: 6,800,000+
  • GPS data: 6,200,000+
  • IP addresses: 156,000+
  • Street addresses: 560,000+
firebase exposed databases

Researchers also found credit card numbers and photos of government-issued identification.

Scrubs exposed databases from search results

The researchers use Firebase’s REST API to access the stored database through the search by appending .json in the URL 

For example https://.firebaseio.com/.json

After analysing 11,730 publicly exposed databases researchers found that 9,014 databases also include write permissions which can allow unauthenticated attackers to modify, add and delete the whole database.

The exposed database could allow an attacker to:

  • Inject data into an application
  • Scam peoples through Phishing 
  • Spread malware
  • Corrupt database of the application 

After the investigation was completed Google was notified of the findings with detail report.

Guidelines to be followed by Developers:

Guidelines to be followed by Users

  • Never use the same passwords in multiple platforms 
  • Do not share sensitive information such as government ID, Social Security numbers, etc.
  • Use only trusted apps

Satender Kumar

A Blogger always fascinated with the technology and gather as much amount of knowledge from the internet. Loves to share the knowledge with the others and always available to play chess.

Related Articles

Leave a Reply

Back to top button
The Tech Infinite