Thousands of Android Apps Leak Data Due to Misconfigured Firebase
Avast analysts have calculated that thousands of Android applications are leaking a variety of data due to misconfigured Firebase database.
Researchers remind that thanks to Firebase, data can be stored in a huge number of different applications – for training, games, mail, food delivery and others, and in regions around the world, including Europe, Eastern Europe, the Middle East, Southeast Asia and Latin America.
As a result, databases can contain personal information collected by these applications, such as names, addresses, locations, and in some cases even passwords.
Many developers use the Firebase platform to build Android apps. In doing so, they can leave their developments in Firebase visible to other developers, which technically makes them visible to everyone.
When Avast Threat Labs researchers examined 180,300 public Firebase instances, they found that more than 10% (19,300) were open due to misconfiguration, meaning the data was accessible to unauthenticated people.
Let me remind you that this is not the first time that experts have been talking about the problem of incorrectly configured Firebase. For example, back in 2018, Appthority analysts scanned 2.7 million Android and iOS apps and identified 28,502 products (27,227 apps for Android and 1,275 for iOS) that access Firebase and use this backend.
Of these, 3,046 applications (2,446 for Android and 600 for iOS) stored data inside 2,271 misconfigured Firebase databases, allowing anyone to view their contents.
Even worse, most databases are hosted on the firebaseio.com domain, and databases that do not require a password are often indexed by search engines, making them discoverable with simple queries. And while Google tries to exclude such results from SERPs, other search engines still do not ignore the Firebase backend, and underground data brokers regularly collect information.
Let me remind you that I also talked about the fact that Avast specialists discovered a fake version of Malwarebytes antivirus.