Thousands of Mobile Apps Expose Their Unprotected Firebase Hosted Databases

Recently, the researchers dealing with mobile security stumbled across thousands of unprotected Firebase databases on iOS and Android apps that make over 100 million data records vulnerable. These records include user IDs, passwords, location and in some cases it even critical financial data like banking records and even transactions made in cryptocurrency were easily available.

The Firebase is a very popular service offered by Google that serves as a back-end platform for the development of mobile as well as web apps that provides the developers with a cloud-based database. All the data is stored within this database in the JSON format and can be connected with the clients in a real-time basis.

Appthority is a mobile security firm and the researchers at this firm stumbled across the mistake that a lot of app developers make, and this mistake was their failure to protect their back-end endpoints on Firebase with the necessary firewalls and validation. This simple point that was overlooked by the developers makes several dozens of gigabytes of vital data about the customers vulnerable and in fact, it can be easily accessed by anyone who knows what they are looking for.

Firebase provides an API server and the attackers can merely gain access to it by adding a simple “/. json” along with the name of a blank database toward the end of the hostname.

To check the extent of this problem, researchers randomly scanned more than 2.5 million apps and they discovered that 3000 apps (about 2450 Android and the rest were iOS) had holes in their security that effectively caused them to leak over 2300 databases containing more than 100 million records. All this amounts to over 110 gigabytes of data that was now vulnerable to hacking. In fact, the Android Mobile Apps that were regarded to be vulnerable were downloaded over 600 million times.

These apps belonged to different categories like finance, educational institutions, lifestyle, fitness, health, cryptocurrency, and so on.
The researchers are of the opinion that all this is happening because the Firebase service provided by Google doesn’t have a default setting to secure the user data and the developers need to consciously implement a user authentication protocol on their entire databases to safeguard them and prevent the scope of any unauthorized access. Also, the lack of any third-party tools to provide encryption merely increase the vulnerability of all the data that is stored within.

Researchers have contacted Google with a list of vulnerable apps and are now working together with other app developers to fix this security breach.