Update, (07/04): Appthority has responded to our questions regarding apps with unsecured Firebase databases. It said users can only figure out if they’re affected by using corporate solutions, which rules out the average consumer.
The response comes after the company revealed that apps with misconfigured Firebase databases had leaked over 113GB of user data, totaling 100 million records.
The company still had a few tips for users anyway, calling on them to rethink whether they should give an app certain permissions (e.g. camera, contacts). It also urged users to look at the terms and conditions of desired apps.
The team also called on developers to review data store technologies used by their apps, while calling on Google to deliver more security measures out of the box.
Original article, July 3 2018: Information belonging to millions of users has been leaked via apps with misconfigured Firebase databases, according to a new report by Appthority (h/t: XDA-Developers).
Firebase is one of the more popular mobile/web development platforms, powering app features like messaging, notifications, and authentication. Unfortunately, many developers aren’t doing the necessary legwork to secure user data related to the platform, Appthority noted.
The team sifted through 2.7 million Android and iOS apps, discovering that over 3,000 apps were leaking data from 2,300 unsecured servers. In hard numbers, Appthority said 100 million records (or 113GB of data) were leaked via these apps.
These records include 2.6 million plaintext passwords and IDs, over four million protected health information records, 25 million GPS location records, 50,000 financial records, and 4.5 million user tokens (e.g. Facebook, LinkedIn, Firebase).
What about affected apps?
The organization said the vulnerable Android apps were downloaded more than 620 million times, suggesting this isn’t limited to niche apps. Moreover, fitness and health apps had the most data leaked. This was particularly concerning, Appthority said, as medical data is considered more valuable than credit card numbers for fraud.
The team hasn’t disclosed which apps are affected, so there’s no real way to know whether your data is compromised. We’d recommend changing your passwords (though we realize that the affected apps could leak the new password too).
The team said they’ve notified Google about the issue, providing the company with a list of affected apps and database servers.
We’ve contacted Appthority for information on affected apps and will update the article when/if we get a response.