Thousands of Android apps can be found due to poor database implementation

Security researchers have identified a vulnerability in the way Firebase databases are configured in an estimated 24,000 Android apps. As a result, those apps leak user data.

The leak is in the widely used sdk Firebase. It is used to use NoSQL databases and database managers in Android, iOS and C++ apps, among other things. The researchers at security firm Comparitech say the tool appears in nearly a third of all Android apps. Some of those users have the wrong configuration, which means that data can be read out.

Comparitech looked at 515,735 apps in the Play Store that use Firebase. 4282 of these leaked user data. The company extrapolates that this means that a total of about 24,000 Android apps would leak information, although the exact number cannot be confirmed. It is not clear whether the vulnerability can also be exploited on iOS or other platforms.

The databases leak e-mail addresses, telephone numbers, GPS data and IP addresses, but also usernames and passwords. Comparitech shows in a screenshot how those passwords can be retrieved in plaintext. The researchers were able to retrieve seven million email addresses, 4.4 million usernames and one million passwords from the apps studied.

It is not a vulnerability, but a misconfiguration that can be prevented by app builders themselves. The vulnerability can be exploited by simply appending .json to a Firebase url. That only works for public databases. Those urls can be found through various search engines. Google removed such links from its search results at the end of last year, but they can still be found on Bing.

Comparitech advises database administrators to implement good rules in the software by not making them publicly available, and not to store passwords in plaintext.