Security researchers of CyberNews they found that 14 of the best Android apps, downloaded by over 140 million people in total, they do not protect user data due to incorrect Firebase configurations. The data exposed potentially includes usernames, emails, usernames and more.
14 Android apps put user data at risk
If you have an Android app installed on your smartphone (who doesn’t have one?), You are most likely using Firebase. With a monthly active base of over 2.5 million apps, Firebase is a mobile application development platform that offers a multitude of useful features, including real-time analytics, hosting, and cloud storage.
In 2014, the platform was acquired by Google and has since become one of the most popular real-time data storage solutions on the market for Android apps. Using Firebase, developers can conveniently store authentication tokens, user credentials in the cloud; personal data and other types of information relating to apps.
In light of this, the CyberNews team decided to analyze over a thousand major apps on Google Play and see how many were storing their data on Firebase real-time databases in an insecure way. And we already tell you that the news is not at all positive.
According to CyberNews, 14 of the best Android apps, with a total of 142.5 million installations, they had Firebase configuration errors. Thus allowing investigators and anyone who knows the right URL to access the databases in real time. Consequently also to all user information stored without any type of authentication.
On September 14, CyberNews researchers reported their findings to Google and offered to help the developers of the exposed apps protect their databases in real time. Unfortunately, Google ignored the offer and did not respond.
The consequence is that 9 of the 14 most popular Android apps, who did not respond to CyberNews requests and could only be protected with the assistance of Google, they continue to disclose the data of over 30.5 million users.
The apps that immediately solved the problem
Here is an example of a horoscope app, installed by at least 500,000 users, whose exposed real-time database contains tables titled “chats” and “users”:
Photo: CyberNews.
According to the CyberNews researcher Martynas Vareikis, this indicates that the app shows not only users’ data, but also their private messages to anyone who can access and use them as they like.
Other examples include Universal TV Remote Control, probably the most popular TV remote app with over 100 million downloads on Google Play. AND Remote for Roku: Codematics, which has been installed by over one million Android users. Both apps suffered from Firebase login setup errors, resulting in potential user data loss.
Having your personal information left exposed is scary enough. But disclosing your children’s data and location to potential eavesdroppers can be much more dangerous. It is the case of Find My Kids: Child Cell Phone Location Tracker, a tracking app downloaded by at least 10 million parents. The app left the Firebase real-time database exposed for an unknown period of time.
The app allows you to track the position of one’s child, phone usage statistics, listen to a live audio stream from the phone’s microphone and call it when it’s off, all in real time. Such an app leaving its real-time database out in the open could lead to dire consequences for children.
Google never responded to the warnings
Fortunately, the developers of the four apps mentioned were notified by CyberNews and promptly deactivated the database. Find My Kids developers also added that they never used the Firebase database, which was created for a test. But unfortunately, the other nine apps did not respond to repeated warnings and they continue to have a database open to virtually anyone.
Google, for its part, never responded to the survey. After the first email, to which the company replied automatically, the CyberNews team attempted to contact Google through their press office. Again the result was the same: an automatic reply email with no explanation.