Researchers spot thousands of Android apps leaking user data through misconfigured Firebase databases

Take care what data you enter into apps, it may be stored insecurely

Got Tips? 8 Reg comments

Security researchers at Comparitech have reported that an estimated 24,000 Android apps are leaking user data because of misconfigured Firebase databases.

Firebase is a popular backend service with SDKs for multiple platforms, including Android, iOS, web, C++ and Unity (for games). Features include two NoSQL database managers, Cloud Firestore and the older Realtime Database. Data is secured using rules which "work by matching a pattern against database paths, and then applying custom conditions to allow access to data at those paths", according to the docs. This is combined with authentication to lock up confidential data while also allowing access to shared data.

"A common Firebase misconfiguration allows attackers to easily find and steal data from storage. By simply appending '.json' to the end of a Firebase URL, the attacker can view and download the contents of vulnerable databases," the report explained.

How common a problem is it? The Comparitech security team reviewed just over half a million apps, comprising, they say, about 18 per cent of apps in the Play store. "In that sample, we found more than 4,282 apps leaking sensitive information," the report claimed.

No high-tech investigation was required. The team simply searched each app's resources for text strings ending ".firebaseio.com", to find database URLs. The team also checked for write access, and of those which were publicly exposed (11,730), 9,014 offered write access to world+dog, the report claimed.

Write access is alarming, because this has the potential to corrupt an app's behaviour. If an app had a high level of permissions on the user's device, one can imagine cases where this could cause further exploits.

Some developers struggle with Firebase security, as discussions on StackOverflow confirm. They may want to avoid the friction of a login, though; according to the docs, you can use "temporary anonymous accounts" for this.

This question from a developer who got a warning email from Google received an answer from Firebase engineer Frank van Puffelen, who explained that simply requiring authentication is insufficient.

"If you enable any auth provider in Firebase Authentication, anyone can sign in to your back-end, even without using your app. Depending on the provider, this can be as easy as running a bit of JavaScript in your browser's developer console. And once they are signed in, they can read and write anything in your database."

Firebase configuration is, it seems, easy to get wrong.

What kind of data did Comparitech find? Email addresses, usernames, passwords, phone numbers and addresses, GPS data (in case the address is not enough), chat messages and more. Occasionally there was passport data, credit cards, and "photos of government-issued identification".

The apps most likely to be vulnerable are games, with the report claiming that 24.71 per cent of games analysed were vulnerable. Next worst was education (14.72 per cent), followed by entertainment (6.02 per cent), business (5.28 per cent), and travel (4.31 per cent). We have asked Google if it can verify these figures.

Google did respond to Comparitech, saying: "Firebase provides a number of features that help our developers configure their deployments securely. We provide notifications to developers about potential misconfigurations in their deployments and offer recommendations for correcting them. We are reaching out to affected developers to help them address these issues."

Some of these databases may even be indexed in search results. We know this because the problem is not new. In December 2019, it was reported that Google hides Firebase databases from search results, but you can find them with other search engines such as Bing.

Comparitech appeals to developers to secure their Firebase configurations, but what about users? It is not easy to tell if an application has a secure backend. Comparitech suggests not reusing passwords, to which we might add the obvious: data that is not entered will not be leaked. ®

Sponsored: Webcast: Ransomware has gone nuclear

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020