Thousands of Android and iOS apps leaking sensitive via misconfigured Firebase backends

• More than 100 million individual records of user data from 3,046 Android and iOS apps were leaked.
• Compromised data includes plaintext passwords, health information, GPS location data and financial records.

Security researchers have discovered thousands of iOS and Android mobile applications have been exposing over 113GB worth of data through misconfigured Firebase databases. According to mobile security firm Appthority, more than 2,271 misconfigured Firebase databases saw the inadvertent leak of over 100 million records of user data from 3,046 Android and iOS apps.

The exposed data included a trove of sensitive information including employee medical records, infrastructure cloud credentials, financial data, Amazon cloud server access keys and more.

Unsecured databases

In their Q2 2018 Enterprise Mobile Threat Report, Appthority evaluated more than 2.7 million mobile apps on both iOS and Android. After a detailed investigation, the researchers identified 27,227 Android and 1,275 iOS apps that connected and stored data inside Firebase backend systems.

Of those apps, 2,446 Android apps and 600 iOS apps were found saving data inside 2,271 misconfigured and unsecured databases that anybody could access.

Troves of data compromised

The exposed data includes 2.6 million plaintext passwords and user IDs, more than 4 million protected health information (PHI) records, 25 million GPS location records and 50,000 financial records such as banking, payment and Bitcoin transactions.

Over 4.5 million Facebook, LinkedIn, Firebase and corporate data store user tokens were also exposed.

Appthority said the Android versions of the affected apps were downloaded more than 620 million times from the official Google Play Store. The researchers notified Google of the issue before publishing their report and provided a list of affected apps and Firebase database servers.