Thousands of Mobile Apps Expose Their Unprotected Firebase Hosted Databases

Researchers from mobile security firm Appthority have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions.

The Firebase vulnerability has already impacted numerous organizations across various industries globally. According to Appthority researchers, over 22,000 Android apps and over 1,200 iOS apps are connected to Firebase. Additionally, around 47% of the connected iOS apps and 9% of the Android apps are vulnerable.

Appthority said, “Firebase is one of the most popular back-end database technologies for mobile apps but does not secure user data by default. Developers must secure all tables and all rows of data in order to avoid data exposure. And, unfortunately, it takes little effort for attackers to find open Firebase app databases and gain access to millions of private mobile data app records.”

In 2017, the Appthority Mobile Threat Team (MTT) discovered the HospitalGown vulnerability named for data leaking through backend data stores that are unsecured. The Firebase vulnerability, is a new variant of HospitalGown, and occurs when mobile app developers fail to require authentication to a Google Firebase cloud database.

Appthority provides full details in its Appthority Mobile Threat Report, which is available for free download upon providing registration information.