Firebase is a mobile and web development framework acquired by Google in 2014. Since then, it has been used by developers for storage and easy syncing of data between users. This framework makes cross-platform teamwork swift; it brings serverless app development and offers strong user-based security. If all this is true, then why Google’s Firebase is said to expose sensitive information like usernames, passwords, phone numbers, location data, etc.?
The Truth You Need To Know
Recently a security research team from Comparitech security under Bob Diachenko analyzed a sample of 515,735 Android apps published on Play Store. During this analysis, 155,066 apps were found using Firebase, and out of these apps, 11,730 were found exposing Firebase databases publicly.
Researchers got to this conclusion as the response researchers wanted to get wasn’t achieved. When a request to access stored data via the Firebase RESET API is sent to the database URL with. json it should return denied response. This means data is secured, and it is not exposed to the public. In this case, the response was just the opposite due to which researchers got to know information is not secured.
In addition to this, they even looked for sensitive information that was manually checked for false positives.
All this made clear that 18% of apps in Google Play Store have been compromised.
“4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users’ personal information, access tokens, and other data without a password or any other authentication,” Comparitech said.”
Which Android apps are at risk?
Mostly spanning games, entertainment, education, and business category apps are vulnerable. All these apps have been installed 4.22 billion times by Android users. Due to this, a large number of users’ sensitive information has been compromised.
The full contents of the database, spanning across 4,282 apps, included:
- Email addresses: 7,000,000+
- IP addresses: 156,000+
- Phone numbers: 5,300,000+
- Usernames: 4,400,000+
- Passwords: 1,000,000+
- Full names: 18,300,000+
- GPS data: 6,200,000+
- Street addresses: 560,000+
- Chat messages: 6,800,000+
What is Google doing about it?
On April 22, Google was notified about the findings since then the tech giant has reached out to the affected developers to patch the issue.
This is not the first time the Firebase database has been accused of the data leak. Therefore to keep the apps secure, developers should adhere to Firebase database rules.
To stay secure from such unknown threats, users should only download trusted apps and stay careful while sharing data.
Have something to say? Leave a comment in the box below.