Thousands Of Mobile Apps Discover Their Unprotected Firebase Hosted Databases

Mobile safety researchers convey discovered unprotected Firebase databases of thousands of iOS in addition to Android mobile applications that are exposing over 100 1 grand k information records, including plainly text passwords, user IDs, location, in addition to inwards about cases, fiscal records such equally banking in addition to cryptocurrency transactions.

Google’s Firebase service is 1 of the around pop back-end evolution platforms for mobile in addition to spider web applications that offers developers a cloud-based database, which stores information inwards JSON format in addition to synced it inwards the real-time alongside all connected clients.

Researchers from mobile safety theatre Appthority discovered that many app developers' neglect to properly secure their back-end Firebase endpoints alongside firewalls in addition to authentication, leaving hundreds of gigabytes of sensitive information of their customers publicly accessible to anyone.

Since Firebase offers app developers an API server, equally shown below, to access their databases hosted alongside the service, attackers tin gain access to unprotected information past times simply adding "/.json" alongside a blank database refer at the halt of the hostname.

Sample API URL: https://<Firebase projection name>.firebaseio.com/<database.json>
Payload to Access: Data https://<Firebase projection name>.firebaseio.com/.json

To abide by the extent of this issue, researchers scanned over 2.7 1 grand k apps in addition to establish that to a greater extent than than 3,000 apps—2,446 Android in addition to 600 iOS apps—were leaking a whole 2,300 databases alongside to a greater extent than than 100 1 grand k records, making it a giant breach of over 113 gigabytes of data.

The vulnerable Android apps solitary were downloaded to a greater extent than than 620 1 grand k times.

Affected apps belong to multiple categories such equally telecommunication, cryptocurrency, finance, postal services, ride-sharing companies, educational institutions, hotels, productivity, health, fitness, tools in addition to more.

Researchers also provided a brief analysis, given below, of the obtained information they had downloaded from vulnerable applications.

• 2.6 1 grand k plaintext passwords in addition to user IDs
• 4 million+ PHI (Protected Health Information) records (chat messages in addition to prescription details)
• 25 1 grand k GPS place records
• 50,000 fiscal records including banking, payment in addition to Bitcoin transactions
• 4.5 million+ Facebook, LinkedIn, Firebase, in addition to corporate information shop user tokens.

Researcher claims all this is happening at the commencement house because Google Firebase service does non secure user information past times default, requiring developers to explicitly implement user authentication on all database rows in addition to tables to protect their databases from unauthorized access.

"The alone safety characteristic available to developers is authentication in addition to rule-based authorization," the researchers explain. What's worse? There are no "third-party tools available to render encryption for it."

Researchers had already contacted Google in addition to provided a listing of all vulnerable app databases, in addition to also contacted a few app developers helping them to piece this issue.