Security researchers at Comparitech have reported that an estimated 24,000 Android apps are leaking user data because of misconfigured Firebase databases.
Firebase is a popular backend service with SDKs for multiple platforms, including Android, iOS, web, C++ and Unity (for games). Features include two NoSQL database managers, Cloud Firestore and the older Realtime Database. Data is secured using rules which “work by matching a pattern against database paths, and then applying custom conditions to allow access to data at those paths”, according to the docs. This is combined with authentication to lock up confidential data while also allowing access to shared data.
“A common Firebase misconfiguration allows attackers to easily find and steal data from storage. By simply appending ‘.json’ to the end of a Firebase URL, the attacker can view and download the contents of vulnerable databases,” the report explained.
How common a problem is it? The Comparitech security team reviewed just over half a million apps, comprising, they say, about 18 per cent of apps in the Play store. “In that sample, we found more than 4,282 apps leaking sensitive information,” the report claimed.