Millions of passwords, GPS locations, and financial records are sitting unprotected in plain sight — and yours could be one of them.
Researchers at Appthority, a mobile security firm, scanned both Android and iOS mobile apps that used Firebase databases to store their users’ data. For the uninitiated, Firebase is a popular cloud-based backend platform for mobile and web applications. The company was acquired by Google back in 2014, so it’s found a real user base among some of the top Android developers.
What mobile security researchers found is alarming
For their report, Appthority looked into more than 2.7 million mobile apps on both iOS and Android. It’s researchers found that of the 27,227 Android apps and 1,275 iOS apps storing their app’s data in Firebase’s backend database systems, 3,046 of these apps saved data within 2,271 unsecured databases that literally anyone could access. Out of those apps storing this data openly for anyone to see, 2,446 are on Android and the remaining 600 are iOS applications.
So, what exactly is being stored in plain sight here for the world to see? Among all of these vulnerable applications, the leaked data includes: 2.6 million user IDs and passwords in plain text, 25 million stored GPS location records, 50 thousand in-app financial transaction records, and more than 4.5 million social media platform user tokens. Other data being leaked includes over 4 million PHI (Protect Health Information) records which contains private chats and prescription records.
In total, over 100 million individual records spanning a total of over 113 gigabytes of data make up the accessible information involved in the breach. The affected Android apps were downloaded more than 620 million times from the Google Play store.
Just how easy is it for anyone to gain access this personal data? According to the report, the vulnerable Firebase backends aren’t protected by firewalls or authentication systems. To gain entry to these unsecured databases, a “hacker” would simply have to tack on “/.json” with a blank database name to the end of the host name (for example, “https://appname.firebaseio.com/.json”).
Researchers point out that they contacted Google before releasing this report. They say they have also provided Google with a full list of the unsecured apps, along with reaching out to the app developers themselves. While the list of vulnerable apps have not been made public, they include apps in categories ranging from messaging and finance to health and travel. The companies or creators behind these affected apps are located around the world.