Google-owned app development platform Firebase is most popular among mobile app developers. Researchers at Comparitech have revealed that over 4,000 Android apps are leaking sensitive data. This is happening because of a misconfiguration on Google's Firebase database.
An estimated 30-percent of all apps on the Google Play Store use Firebase. Out of all the Android apps that are using Google Firebase to store their data, 4.8 percent of them are not secured. These apps allow anyone to access user data, including users' personal information.
Games are most exposed across all app categories.
The researchers examined a total of 515,735 Android apps listed on the Google Play Store. While 155,066 of the apps are using Firebase, a total of 4,282 apps are confirmed to be leaking sensitive information. 9,014 apps even include read and write permissions. With write permissions, anyone could add or remove data from the server.
Games and Education apps account for almost 40% of all the apps that are leaking user data. Using this vulnerability, the e-mail addresses, usernames, passwords, phone numbers, GPS data, street addresses, and much more can be downloaded without any authentication. When we take all the Android apps into account, it comes down to an estimated 24,000 apps.
Google to help fix Android apps leaking data
Anyone can access these databases by simply adding ".json" to the end of a Firebase URL. While Google has removed these database URLs from showing in search results, they are still indexed by other search engines. Specifically, the report only includes data from the apps listed on the Google Play Store.
Even app developers on other operating systems also use Firebase. Because of this, the number of apps impacted by database misconfiguration will be more than 24,000. The researchers also found that the average smartphone user installs between 60 and 90 apps. It's highly likely that at least one of these apps is leaking sensitive user data.
The researchers provided the report to Google on April 22nd. “We provide notifications to developers about potential misconfigurations in their deployments and offer recommendations for correcting them. We are reaching out to affected developers to help them address these issues.” said a Google spokesperson.
This is why we should never use the same password on multiple websites or apps. If a data breach on a website or an app has exposed your password, the hacker will first use that password to access your other accounts.