Comparitech researchers led by cybersecurity expert Bob Diachenko have revealed that 24,000 Android Apps expose user information through misconfigurations on Google Firebase, a popular development platform used by roughly 30% of apps on the Google Play Store.
In their analysis, the team reviewed 515,735 Android apps (18% of all apps on Google Play), and found 155,066 using Google’s cloud-hosted Firebase databases. Among selected apps, 4,282 were leaking sensitive information such as:
• Email addresses of 7 million users
• Usernames of 4.4 million
• Passwords of 1 million
• Phone numbers of 5.3 million
• Full names of 18.3 million
• Chat messages of 6.8 million
• GPS data of 6.2 million
• IP addresses of 156,000 users
• Street addresses of 500,000
• Undisclosed number of credit card numbers and photos of government-issued identification
When it comes to vulnerable Firebase configurations and app category, Games ranked the highest with 24.71%, followed by Education with 14.72%, Entertainment with 6.02%, Business with 5.28%, and Travel and local with 4.31%.
The researchers also found that 9,014 apps “even included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it.” Malicious actors who also have write access could inject fake data into an application, phish or scam users, and, ultimately, spread malware.
The risk of exposure for any Android user is quite high, considering that vulnerable apps have been installed more than 4 billion times.
“Given the average smartphone user has between 60 and 90 apps installed, the chances are high that an Android user’s privacy has been compromised by at least one app,” researchers said.
Researchers notified Google on April 22, and provided a full report of their findings. The tech company said it is reaching out to developers with recommendations for amending potential misconfigurations.
What can an Android user do? Comparitech suggests following basic cyber hygiene rules:
• Stop recycling passwords across multiple account
• Only use trusted Google Play applications with good reviews and many downloads
• Don’t share sensitive information