Popular Android apps leaking the data of millions of users

14 of the Google Play Store’s most popular apps have been exposing sensitive user data.

The CyberNews research group has reported that 14 top Android apps have been leaking user data as the result of a Firebase misconfiguration. These apps have been downloaded an estimated 140 million times, and exposed data could include usernames and passwords, email addresses, financial records, and user’s real names, amongst other details.

Firebase is a tool used by developers to create apps and browse through analytics, and comes with some other pertinent features – like hosting and real-time cloud storage. Aspiring developers have been able to use the platform to store information relating to their apps in the cloud; data, credentials, tokens, and more.

The fourteen apps highlighted by the CyberNews report were found to be affected by Firebase misconfiguration. As such, their real-time databases were unsecured, and anyone with the correct URL had access to them without any kind of authentication. Essentially, bad actors and snoops had an open invitation to comb through user information at their leisure.

The scope of the Google Play Store leak is also astonishing – all sorts of apps have been affected, and some have even had their initial purpose nullified or subverted. A Horoscope tool with 500,000 users, for example, exposed private messages and details, and a location tracker designed to keep tabs on your children was actually broadcasting data in real-time – a terrifying notion! Anyone using these apps could’ve had their most private data exposed to any bad actors with access to the app’s database. As such, the leaks are likely to have far-reaching consequences.

For the victims, their data could be used by bad actors in opportunistic phishing campaigns. Cybercriminals often craft socially engineered emails or instant messages in an attempt to snare victims, and those communications can be made all the more convincing if the crooks in question are armed with details gleaned from leaks – like the Google Play incident.

An ongoing problem

CyberNews has reached out to Google regarding the disastrous breach and received nothing in reply. This isn’t entirely surprising, but it is disheartening – as is the fact that nine of the fourteen affected apps are still leaking data!

What’s also worrying is that because Firebase is a cross-platform, iOS apps that utilize the tool could also be suffering from similar misconfiguration.

 

There is, unfortunately, little that users themselves can do. The app developers have plugged up their leaking databases after CyberNews alerted them to the issue, though this sort of retrospective action isn’t going to cut it in the long run. Developers need to be proactive during the coding process of their projects, and ensure that privacy and security are prioritized from day one, with adequate controls and processes, and particular attention to correctly configuring databases that safeguard user data.

All too often, however, these security considerations are neglected in favor of speeding up the development process.

It’s shocking to think that the privacy of millions of Android users has been put at risk for the sake of potentially cutting a few corners – it’s an attitude to digital security that’s as dangerous as it is naïve. Unfortunately, it’s not the first time that the App Store has been blighted by misconfigured third-party services and lackluster controls.

In May 2021, cybersecurity firm Check Point Research reported that 23 Android apps were leaking sensitive data, like passwords, images, and chat logs. More than 100 million users were potentially affected, and they, just like today’s victims, could do little more than wait for developers to plug the leaks… and start taking consumer security seriously.