Developers Not Sticking to Firebase Guidelines Risking Personal Data of Millions

What exactly happened?

Key insights from the report

• The team revealed that an estimated 30% of all apps on the Google Play Store use Firebase.
• The security team reviewed about 18% of apps in the Play store and found 4,282 apps leaking sensitive information.
• 4.8 percent of mobile apps that use Firebase to store user data are not properly secured. 
• These databases containing users’ information, access tokens, and other data without any password protection.
• Going by the Google Play category, game apps topped the list in exposing databases, followed by education apps, entertainment, business, and travel, in that order.

Access to database

• To find Firebase URLs, experts sought each app's resources for text strings ending ".firebaseio[.]com."
• They added '.json' to the end of the Firebase URL to expose the contents of vulnerable databases. Anyone could have done that, told experts.
• Exposed data included email addresses, phone numbers, usernames, passwords, addresses, chat messages, GPS data (in case the address is not enough), and more.
• There were also a few exposures of passport data, credit cards, and "photos of government-issued identification."

Insecurities with Firebase

• In 2018, a report discovered that some 3,000 iOs and Android apps were leaking nearly 113 GB of unprotected data extended over 2,271 databases.
• Other misconfigured database report from this year revealed that 82% of vulnerabilities are caused due to a misconfiguration issue.

Types of attacks possible

• Spreading malware.
• Manipulating an application. For example, adding a fake headline to an established news app.
• Phishing and scamming application users.
• Corrupting the application database.

Closing lines