The security research team at Comparitech has conducted an audit of hundreds of thousands of apps on the Google Play store. The research team found common misconfigurations on Google Firebase databases that allow unauthorized parties to find and access personal data of users. Firebase is one of the most popular storage solutions for Android Apps, used by an estimated 30% of all apps on Google Play. Researchers discovered during their investigation that 4.8% of mobile apps using Firebase aren't properly secured and allow anyone access to the databases containing the personal information of users, access tokens, and other data without a password or any authentication.
The security researchers examined 515,735 Android apps totaling about 18% of all apps available on Google Play. Within that sample group, 4,282 apps were found to be leaking sensitive information. Using extrapolation, the team estimated that 0.83% of all Android apps on the Play store are leaking sensitive data through Firebase, or about 24,000 apps in all.
Comparitech says that it notified Google on April 22 and provided a report detailing its findings. Google responded to the report stating it offered notifications to developers about possible misconfigurations in deployments and offered recommendations for fixing those issues. Google's spokesperson said that it is reaching out to impacted developers to help them address the issues discovered by the team.
Firebase is a cross-platform tool and the researchers expect that the misconfigurations impact many more apps outside of the Android ecosystem. Data that's being leaked by improper Firebase implementations includes email addresses, usernames, passwords, phone numbers, full names, chat messages, GPS data, IP addresses, and street addresses. Researchers also found credit card numbers and photos of government-issued IDs in the leaked databases. App categories most likely to leak data were games followed by educational apps.
The research team also found that most exposed databases gave attackers write access that could allow the attacker to inject data into an application to spread malware, corrupt the database, or scam application users. Google has been working to make Android more secure and misconfigured applications such as these work against its efforts. Google recently turned on Play Protect by default and requires it to stay on to scan applications on the Play Store for malware.