More Than 4,000 Android Apps are Reportedly Leaking User Passwords

4 Thousand Android Apps Leak Sensitive Information

Some people can produce a long list of arguments against using Android, and you can bet that security will be pretty near the top. Publishing apps on Google Play is much easier compared to Apple's App Store, and malware operators are taking full advantage of this. Despite the numerous campaigns and the security precautions that were implemented as a result, malicious apps still manage to slip through the cracks every now and again, and Android users are constantly reminded to be careful with the software they install and use.

A recent study conducted by a team of researchers from Comparitech, however, shows that no matter how vigilant you are, you can still have your data exposed. According to it, thanks to some configuration mistakes, millions of records saved by thousands of apps can be accessed with a single search query, and this time, the problem is not limited to Android.

Thousands of Firebase-powered applications store user data in unprotected databases

The team of experts was led by Bob Diachenko who wanted to learn more about how developers use Firebase. Firebase is an app development platform that gives programmers a number of tools for managing mobile and web applications, including authentication mechanisms and cloud messaging capabilities. Diachenko was interested in Firebase's data storage mechanisms.

The research started with a little over half a million Android applications. 155 thousand of them were based on Firebase, and he used the platform's REST API to access data stored by the apps. The databases of 11,730 of the apps were publicly accessible and were not protected by a password, and of them, 4,282 contained sensitive information. The leaked data included, among other things:

  • 156 thousand IP addresses
  • 560 thousand physical addresses
  • 1 million passwords
  • 4.4 million usernames
  • 5.3 million phone numbers
  • 6.2 million records containing GPS data
  • 6.8 million chat messages
  • 7 million email addresses
  • 18.3 million names

In addition to all this, some of the exposed records also contained credit card data and even photos of ID documents.

Even more worryingly, the data is stored in JSON format, and it's indexed by Bing. In other words, downloading an entire database full of sensitive information could be as easy as entering a query in Microsoft's search engine.

How big is the problem exactly?

To emphasize the seriousness of the situation, Diachenko's team tried to put the numbers into perspective. The vulnerable apps comprise less than 1% of all the applications the experts analyzed, which may not sound like a lot, but if we assume that the rate is the same for the entire Play store, we'd arrive at a conclusion that about 24 thousand of the applications offered on Google Play are leaking sensitive data. And if you think that this is not that bad, you should probably consider the fact that the 4,282 apps Diachenko and his team looked at have a combined download count of 4.22 billion.

The problem spans beyond Google Play and Android. Developers of web-based and iOS applications use Firebase as well, and we can only guess how many of them have made the same configuration mistake.

The creators of the 4,282 vulnerable apps were urged to secure their databases after Diachenko disclosed the issue to Google, and mobile app developers are advised to be a bit more careful when setting up their Firebase-powered applications. Meanwhile, users are told that they should use unique passwords for all their accounts and should not share too much information with the applications on their smartphones. Unfortunately, in this particular case, this is all they can do.

By Duran
May 13, 2020
News
English
May 13, 2020
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

News

Be Careful If You Rely on eyeDisk Flash Drives to Store Passwords and Other Sensitive Data

What is an eyeDisk exactly? It's a flash drive that can store your photos, documents, and other files. The MSRP for the 32GB version is $99. The logical next question is obvious: Why is it so eye-watering expensive?... Read more

May 14, 2019
Tips

Is It Safe to Store Sensitive Data like Passwords on Google Drive?

You must have heard people around you talking about Google Drive, Google's cloud storage service, or you are one of 800 million users who store their passwords, photos, videos, documents, and other important files on... Read more

July 20, 2018
How To

How to Autofill Passwords on Your Android Phone

Autofill is a handy feature that allows your device to automatically fill in forms and user credential fields with your data. Akin to password managers, which can fill out the information in other apps and websites... Read more

November 13, 2019
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.