More Than 4,000 Android Apps are Reportedly Leaking User Passwords

4 Thousand Android Apps Leak Sensitive Information

Some people can produce a long list of arguments against using Android, and you can bet that security will be pretty near the top. Publishing apps on Google Play is much easier compared to Apple's App Store, and malware operators are taking full advantage of this. Despite the numerous campaigns and the security precautions that were implemented as a result, malicious apps still manage to slip through the cracks every now and again, and Android users are constantly reminded to be careful with the software they install and use.

A recent study conducted by a team of researchers from Comparitech, however, shows that no matter how vigilant you are, you can still have your data exposed. According to it, thanks to some configuration mistakes, millions of records saved by thousands of apps can be accessed with a single search query, and this time, the problem is not limited to Android.

Thousands of Firebase-powered applications store user data in unprotected databases

The team of experts was led by Bob Diachenko who wanted to learn more about how developers use Firebase. Firebase is an app development platform that gives programmers a number of tools for managing mobile and web applications, including authentication mechanisms and cloud messaging capabilities. Diachenko was interested in Firebase's data storage mechanisms.

The research started with a little over half a million Android applications. 155 thousand of them were based on Firebase, and he used the platform's REST API to access data stored by the apps. The databases of 11,730 of the apps were publicly accessible and were not protected by a password, and of them, 4,282 contained sensitive information. The leaked data included, among other things:

  • 156 thousand IP addresses
  • 560 thousand physical addresses
  • 1 million passwords
  • 4.4 million usernames
  • 5.3 million phone numbers
  • 6.2 million records containing GPS data
  • 6.8 million chat messages
  • 7 million email addresses
  • 18.3 million names

In addition to all this, some of the exposed records also contained credit card data and even photos of ID documents.

Even more worryingly, the data is stored in JSON format, and it's indexed by Bing. In other words, downloading an entire database full of sensitive information could be as easy as entering a query in Microsoft's search engine.

How big is the problem exactly?

To emphasize the seriousness of the situation, Diachenko's team tried to put the numbers into perspective. The vulnerable apps comprise less than 1% of all the applications the experts analyzed, which may not sound like a lot, but if we assume that the rate is the same for the entire Play store, we'd arrive at a conclusion that about 24 thousand of the applications offered on Google Play are leaking sensitive data. And if you think that this is not that bad, you should probably consider the fact that the 4,282 apps Diachenko and his team looked at have a combined download count of 4.22 billion.

The problem spans beyond Google Play and Android. Developers of web-based and iOS applications use Firebase as well, and we can only guess how many of them have made the same configuration mistake.

The creators of the 4,282 vulnerable apps were urged to secure their databases after Diachenko disclosed the issue to Google, and mobile app developers are advised to be a bit more careful when setting up their Firebase-powered applications. Meanwhile, users are told that they should use unique passwords for all their accounts and should not share too much information with the applications on their smartphones. Unfortunately, in this particular case, this is all they can do.

May 13, 2020

Leave a Reply