CATEGORIES
home News

Google Firebase Misconfigurations Leave Private Data Vulnerable In Over 4,000 Android Apps

by Shane McGlaunWednesday, May 13, 2020, 02:39 PM EDT
play store update

The security research team at Comparitech has conducted an audit of hundreds of thousands of apps on the Google Play store. The research team found common misconfigurations on Google Firebase databases that allow unauthorized parties to find and access personal data of users. Firebase is one of the most popular storage solutions for Android Apps, used by an estimated 30% of all apps on Google Play. Researchers discovered during their investigation that 4.8% of mobile apps using Firebase aren't properly secured and allow anyone access to the databases containing the personal information of users, access tokens, and other data without a password or any authentication.

The security researchers examined 515,735 Android apps totaling about 18% of all apps available on Google Play. Within that sample group, 4,282 apps were found to be leaking sensitive information. Using extrapolation, the team estimated that 0.83% of all Android apps on the Play store are leaking sensitive data through Firebase, or about 24,000 apps in all.

Comparitech says that it notified Google on April 22 and provided a report detailing its findings. Google responded to the report stating it offered notifications to developers about possible misconfigurations in deployments and offered recommendations for fixing those issues. Google's spokesperson said that it is reaching out to impacted developers to help them address the issues discovered by the team.

Firebase is a cross-platform tool and the researchers expect that the misconfigurations impact many more apps outside of the Android ecosystem. Data that's being leaked by improper Firebase implementations includes email addresses, usernames, passwords, phone numbers, full names, chat messages, GPS data, IP addresses, and street addresses. Researchers also found credit card numbers and photos of government-issued IDs in the leaked databases. App categories most likely to leak data were games followed by educational apps.

The research team also found that most exposed databases gave attackers write access that could allow the attacker to inject data into an application to spread malware, corrupt the database, or scam application users. Google has been working to make Android more secure and misconfigured applications such as these work against its efforts. Google recently turned on Play Protect by default and requires it to stay on to scan applications on the Play Store for malware.

Tags:  Google, security, Google Play, (nasdaq:goog)
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment