Popular Android apps with 142.5 million collective installs leak user data

Pierluigi Paganini September 30, 2021

14 top Android apps with 142.5 million installs are misconfigured, leaving their data exposed to unauthorized parties

Original post @ https://cybernews.com/security/research-popular-android-apps-with-142-5-million-collective-downloads-are-leaking-user-data/

  • 14 top Android apps with 142.5 million installs are misconfigured, leaving their data exposed to unauthorized parties.
  • Nine out of 14 popular Android apps are still potentially leaking the data of more than 30.5 million users.
  • Firebase is a cross-platform tool, which suggests that Firebase misconfigurations affect their iOS versions as well.

CyberNews security researchers found that 14 top Android apps, downloaded by more than 140 million people in total, are leaking user data due to Firebase misconfigurations. Exposed data potentially includes users’ names, emails, usernames, and more.

If you have an Android app installed on your smartphone, there’s a high chance it is using Firebase. With an active monthly base of more than 2.5 million apps, Firebase is a mobile application development platform that offers a multitude of useful features, including analytics, hosting, and real-time cloud storage.

In 2014, the platform was acquired by Google and had since become one of the most popular real-time data storage solutions on the market for Android apps. Using Firebase, developers can conveniently store authentication tokens, user credentials, personal data, and other types of app-related information in the cloud.

In light of this, we at CyberNews decided to analyze over a thousand top apps on Google Play and see how many were storing their data on Firebase real-time databases insecurely.

What our Investigations team discovered was eye-opening: 14 top Android apps with 142.5 million installs were suffering from Firebase misconfigurations, which enabled us – and anyone else who knows the right URL – to access their real-time databases and all the user information stored without any kind of authentication.

Although we only looked at top Android apps on the Google Play store, Firebase is platform-agnostic. This means that iOS apps that use Firebase might be affected by these misconfigurations as well.

On September 14, CyberNews researchers reported their findings to Google and asked them to help the developers of the exposed apps secure their real-time databases.

Unfortunately, Google has ignored our queries, and we have not heard from them since.

As a result, nine out of 14 popular Android apps, which have not responded to our requests and could only be secured with assistance from Google, are still leaking the data of more than 30.5 million users.

How we collected and analyzed the data

In order to conduct this investigation, our Investigations team analyzed 1,100 most popular apps across 55 different categories in the Google Play store. For popularity metrics, our researchers used the ‘TOP {CATEGORY}’ collections provided by Google on the Play store. All analyzed categories and apps were accessible for Google Play users in the US.

CyberNews researchers analyzed the apps by decompiling and searching each app for traces of their default Firebase address. If the address was found, we checked for database permission misconfigurations by trying to access it using the REST API provided by Google.

All requests to the databases were made with the “Shallow = True” argument. This allowed us to see the names of the tables stored on the databases without accessing any data.

Note: During the course of this investigation, our researchers did not access any Firebase databases due to the potential ethical implications of accessing private databases without authorization.

Millions exposed by top Android apps

Our team’s findings show that 14 top Android apps, collectively downloaded by at least 142.5 million users, have their Firebase real-time databases unsecured, leaving their data out in the open.

Here’s an example of a horoscope app, installed by at least 500,000 users, whose exposed real-time database contains tables titled ‘chats’ and ‘users’:

Exposed real-time database screenshot<br>
Screenshot of an exposed Firebase real-time database

According to CyberNews researcher Martynas Vareikis, this indicates that the app is leaking not only user data, but also their private messages to anyone to access and do with as they please.

Other examples include Universal TV Remote Control, arguably the most popular TV remote app with over 100 million downloads on Google Play, and Remote for Roku: Codematics, which has been installed by more than a million Android users. Both apps suffered from Firebase access misconfigurations, potentially leaking user data as a result.

Exposed universal TV remote control apps<br>

Sadly, popular Android games are not safe from Firebase misconfigurations, either.

Hybrid Warrior app

Hybrid Warrior: Dungeon of the Overlord, a mobile role-playing game played by more than a million users, collects their email addresses and other personal information they’ve provided to Google, such as names, birth dates, phone numbers, and more.

Hybrid Warrior permissions

It was also potentially leaking all that data to anyone with the right URL. With such information in hand, threat actors could have staged phishing attacks against any user whose data has been exposed by the game.

Thankfully, the developers of these apps promptly plugged their leaking real-time databases after our Investigations team warned them about the misconfigurations.

With that said, having your personal information left exposed to threat actors by your favorite game is scary enough. But leaking your children’s data and their whereabouts to potential eavesdroppers can be much more dangerous.

Find My Kids: Child Cell Phone Location Tracker, a location tracking app downloaded by at least 10 million parents, left their Firebase real-time database exposed for an unknown period of time.

Find My Kids app<br>

The app allows you to track your kid’s whereabouts, their phone usage statistics, listen to a live audio stream from their phone’s microphone, and call them when they’re muted – all in real-time. Such an app leaving its real-time database out in the open could lead to disastrous consequences for kids.

After our researchers reached out to Find My Kids’ developer GEO TRACK TECHNOLOGIES INC about their exposed database, a company representative assured us that they “don’t use [a] Firebase real-time database in [their] product, at all.”

“I suppose this Firebase feature was enabled for testing some time ago and we don’t store any private data on it. Now we have turned off the Firebase real-time database completely,” a GEO TRACK TECHNOLOGIES INC team member told CyberNews.

While it’s impossible to ascertain the veracity of the claim that the team didn’t use Firebase to store user data, the issue has now been fixed on the developer’s part.

Finding basic Firebase misconfigurations in highly successful Android apps is somewhat surprising. You’d think that apps topping the Google Play charts in their respective categories would at least have put basic security measures in place. After all, Firebase real-time databases are configured with no access permissions by default, according to Ray Kelly, Principal Security Engineer at NTT Application Security.

“It’s up to the developer to add permissions as needed,” Kelly told CyberNews. “So, why would a developer decide to make the database completely open? Because it’s easy. Oftentimes, developers will take the easy route while coding their apps. Simply opening up the database will certainly speed up their process.”

For app developers who are less security-conscious, keeping access permissions in mind takes time and understanding, says Kelly, adding that “unfortunately, this is rarely the number one priority when it comes to application design and implementation.”

In the end, however, it’s mostly the users who bear the brunt of the damage from having their information exposed to threat actors.

Google turns a blind eye as data of 30+ million users is still being leaked

In total, our Investigations team found user tables in 14 top Android apps with 142.5 million collective installs. Thankfully, the four apps I mentioned above have had their issues fixed and no longer have their databases exposed to potential threat actors.

However, nine of the app developers have neither fixed all of their misconfigurations, nor responded to our repeated warnings.

To address the situation, we first reached out to Google on September 14 and asked them to help the developers secure their Firebase real-time databases.

Having received an automated response without a follow-up, we made another attempt at contacting Google via their press office three days later. The end result was identical: an automated reply email without any follow-up or explanation.

Google press email screenshot<br>

Needless to say, without input from Google, the leaks of those apps have not been plugged.

As of the time of this writing, Google still has not responded to our queries, while nine popular Android apps are potentially leaking the data of at least 30.5 million users.

We hope that the release of this investigation will prompt Google to react and resolve the matter as quickly as possible.

Note: As soon as we hear back from Google and the misconfigurations are fixed, we will update the article to include all the exposed apps our researchers discovered.

How do you protect your app from unauthorized access?

Give a look at the original post @ https://cybernews.com/security/research-popular-android-apps-with-142-5-million-collective-downloads-are-leaking-user-data/

About the author Edvardas Mikalauskas

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Android Apps)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment