The research revealed that nine out of fourteen android apps, which have more than 30 million users, are potentially leaking data. The top 14 Android apps with over a hundred million installs are at risk for being Firebase misconfigured. Unauthorized parties might access these apps and expose confidential data.
Almost everyone has an Android app installed on their smartphones, and there is a possibility that the app is utilizing Firebase.
This mobile application development platform offers a wide array of valuable tools such as hosting, analytics, and cloud storage.
Credentials, personal data, and other app-related information in the cloud can be stored conveniently using Firebase. However, the leaking of confidential data is a significant threat.
A researcher team analyzed almost a thousand apps at the top of the charts in terms of downloads. The researchers conducted this project to pinpoint the exact apps that use Firebase real-time database. 142.5 million installs across 14 top android apps were discovered to be struggling from Firebase misconfigurations. This problem has created an opportunity for the people who know the correct URL to access different sensitive information and databases without being checked by any authenticating system.
This research was conducted with a sample size of android apps only. However, it does not necessarily translate to Firebase targeting android specific apps. iOS apps that also utilize Firebase might encounter these misconfigurations. The researchers responsible for discovering the said misconfiguration appealed to Google, proposing that the company help the developers upgrade and update their current data security system.
Through their efforts and willingness to help, the team has already given their all, but unfortunately, Google has not responded or taken any action regarding the matter.
Today, the 14 android apps were notified about the misconfiguration, and only 5 of them responded then took the necessary action. This issue is still problematic because the nine remaining apps that did not respond to the queries are still leaking data risking almost 30 million users.
