The popular and reputable GST Invoice Billing Inventory (previously known as Book Keeper) app is one of the thousands of apps on the Google Play Store with sensitive data hard-coded into the client side of an app.
This means that threat actors can get their hands on API (application programming interface) keys, Google Storage buckets, and unprotected databases and exploit that information simply by analyzing publicly available information about apps.
With over 1 million downloads, the app is used by businesses to send invoices, bills, and estimates, track expenses and receipts, manage inventory, and send financial statements, among other things.
At the time of writing this article, the app had a 4-star (out of 5) rating based on 12K reviews. Following the Cybernews responsible disclosure procedure, we first informed the developer of the app about the issue in August, 2022. We’ve received no official response to any of our emails.
Comprehensive Cybernews research of over 33,000 Android apps led to the discovery of over 14,000 Firebase URLs in the client side of an Android app. Over 600 of them were links to open Firebase instances.
GST Invoice Billing Inventory was one of those 600+ apps that left an open database, exposing sensitive individual and corporate data.
Essentially, Firebase is a JSON database that stores either public or private information about an application or its users. It’s the most popular storage solution for Android apps.
The dataset contained user data: phone numbers, device types, emails, account creation timestamps, addresses, and premium app version purchasing data.
Corporate data, such as names, emails, locations, invoice counts, turnovers, office addresses, bank/cash balances, and tokens, were also stored in the dataset.
The 149MB-strong dataset is relatively small, given that the app has over one million users.
“However, firebase stores the data in compact one-liner, meaning that 149MB translates to over seven million rows (156 million characters) of sensitive business information, and huge damage could be done if that information falls into the wrong hands,” Cybernews researcher Vincentas Baubonis said.
The app is also leaking other hard-coded secrets, including API keys, links to Google Storage Buckets, and other less sensitive secrets (firebase_database_url, gcm_defaultSenderId, default_web_client_id, google_api_key, google_app_id, google_crash_reporting_api_key, google_storage_bucket).
While companies generally don’t leave datasets with sensitive data accessible to the public, they should still take better care of their customers’ data.
“The first mistake we see on a regular basis is accepting the misconception that internal IT staff or an MSP (managed service provider) are responsible for or have the resources to conduct cybersecurity operations. At a minimum, penetration testing should be recurring and done by a third party that can objectively assess the risks in the environment,” Paul Tracey, CEO of security firm Innovative Technologies, told Cybernews.
The second mistake is functionality. Frequently, experts see databases that have just not been updated, exposing them to a known exploit.
“This can happen for a variety of reasons, but it is often that the company paid a developer to build it, and once it was working, that was it. No maintenance or updates would be performed until it stops functioning properly, which, in some cases, is with a ransomware attack,” Tracey said.
The outcome for both companies and consumers is quite grim. Organizations face downtime, data loss, reputation, consumer confidence, civil lawsuits, and ransomware.
Cybernews researchers recently discovered two instances where threat actors encrypted data found in open datasets and asked for a ransom. Harvard Business Publishing licensee was one of the victims.
“For the consumer, this can be an ongoing disaster over a long period of time, depending on what data was stolen. At the very least, they will need to get identity monitoring in place, change all account passwords, and potentially deal with those credentials being used to fraudulently open accounts in their name. This can affect their ability to get medical care or get a home loan. This can really affect your entire life,” Tracey said.
While analyzing over 33,000 Android Apps, Cybernews researchers found over 124,000 strings potentially leaking sensitive data.
More details about the analysis are available on CyberNews website:
About the author: Jurgita Lapienytė, Chief Editor at CyberNews
(SecurityAffairs – hacking, GST Invoice Billing Inventory)