Security News > 2020 > May > Over 4000 Android Apps Expose Users' Data via Misconfigured Firebase Databases

More than 4,000 Android apps that use Google's cloud-hosted Firebase databases are 'unknowingly' leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data.

"4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users' personal information, access tokens, and other data without a password or any other authentication," Comparitech said.

Acquired by Google in 2014, Firebase is a popular mobile application development platform that offers a variety of tools to help third-party app developers build apps, securely store app data and files, fix issues, and even engage with users via in-app messaging features.

With the vulnerable apps in question - mostly spanning games, education, entertainment, and business categories - installed 4.22 billion times by Android users, Comparitech said: "The chances are high that an Android user's privacy has been compromised by at least one app."

Diachenko found the exposed databases using known Firebase's REST API that's used to access data stored on unprotected instances, retrieved in JSON format, by simply suffixing "/.json" to a database URL. Aside from 155,066 apps having publicly exposed databases, the researchers found 9,014 apps with write permissions, thus potentially allowing an attacker to inject malicious data and corrupt the database, and even spread malware.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/85GPqtqnfQA/android-firebase-database-security.html