Thousands of Mobile Apps Expose Their Unprotected Firebase Hosted Databases

Researchers from mobile security firm Appthority have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions.

The Firebase vulnerability has already impacted numerous organizations across various industries globally. According to Appthority researchers, over 22,000 Android apps and over 1,200 iOS apps are connected to Firebase. Additionally, around 47% of the connected iOS apps and 9% of the Android apps are vulnerable.

More than 100 million records are exposed, including:

  • 2.6 million plain text passwords and user IDs
  • 4 million+ PHI (Protected Health Information) records (chat messages and prescription details)
  • 25 million GPS location records
  • 50 thousand financial records including banking, payment and Bitcoin transactions
  • 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens

Appthority said, “Firebase is one of the most popular back-end database technologies for mobile apps but does not secure user data by default. Developers must secure all tables and all rows of data in order to avoid data exposure. And, unfortunately, it takes little effort for attackers to find open Firebase app databases and gain access to millions of private mobile data app records.

In 2017, the Appthority Mobile Threat Team (MTT) discovered the HospitalGown vulnerability named for data leaking through backend data stores that are unsecured. The Firebase vulnerability, is a new variant of HospitalGown, and occurs when mobile app developers fail to require authentication to a Google Firebase cloud database.

Appthority provides full details in its Appthority Mobile Threat Report, which is available for free download upon providing registration information.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: