Some 24,000 Android applications have been leaking sensitive data – including mobile phone numbers and passwords – through improperly configured storage on Google’s Firebase development platform, a new study has found.
The critical lack of security was uncovered by a research team at Comparitech.com, an expert group focusing on information security and privacy. The Firebase platform is the most popular storage solution for Android apps, used by almost a third of all the applications available on the Google Play Store.
The researchers sampled a whopping 515,735 of the apps – around 18 percent of all the programs available on the Store – and found that more than 4,200 of them turned out to have faulty security configurations on the Firebase and were leaking sensitive information.
The apps’ databases turned out to be entirely insecure and could have been accessed by anyone, without a password or any other authentication. The vulnerable applications have been installed 4.22 billion times by Android users, according to Comparitech. The majority of the affected apps fell into the ‘games’ category.
The scale of the leak is likely to be significantly larger, and the researchers estimate that some 24,000 of the Android apps using the development platform likely experience the same security problems. As Firebase is cross-platform and used by apps for other operating systems, they might be affected by similar security problems.
As well as having publicly exposed databases which contained telephone numbers, passwords, messages, IP and street addresses in plain text format, some applications had databases that even included write permissions. Besides simply vandalizing such databases to bring an app down, an attacker could easily inject their own data into it. The vulnerability could have been used to scam app users, insert malware, or even publish fake headlines in news apps, the researchers said.
Comparitech informed Google of its findings, with the tech giant responding that it had notified Firebase users of the possibly faulty security configurations and was “reaching out to affected developers to help them address these issues.”
The researchers themselves also urged Firebase-using developers to read the platform documentation, stating that most of the “misconfigurations are entirely avoidable.” The recommendations include making their databases private, as well as avoiding the practice of storing passwords in plain text form.
Recommendations for app users include being “aware of what information you share with an application,” and not sharing “sensitive personal information, such as home address, photos of government ID, Social Security numbers” altogether. While those truly are words to live by, most apps simply refuse to work without obtaining broad access to your gadget.
Think your friends would be interested? Share this story!