Thousands of Android and iOS apps are leaking your data through their Firebase backend (Update)

Update July 2, 2018:

Google has responded to our inquiry and a bit of discussion with a member of the Google Cloud team has cleared up a few of the questions surrounding this report.

Firebase databases are secure by default when they are created and all of these cases are instances where a developer hasn't followed best practices in one form or another. Google publishes a full guide on securing realtime databases with Firebase. Additionally, the Firebase admin console displays an unmistakable warning when a database has had the normal default protections removed and is configured to allow for public access.

Google also tells me that emails were sent to all insecure projects with complete directions on how to turn database security back on in December 2017. It's clear after speaking with a member if the Google Cloud team that Firebase is as safe as we all had thought it was and that issues like this are attributed to developer mistakes.

The original article appears below.

Firebase is a great service for any small developer who needs to have an online service at their disposal. It's powered by Google and the company goes out of its way to help developers use it in their mobile apps. You can see by simply watching any Google I/O session video about Firebase that developers actually cheer when the service is mentioned.

Apparently, some of those developers have hit a snag when it comes to configuring the database they may be using to store your data. After scanning 2.7 million apps, security researchers at Appthority say more than 113GB of data is available through over 2,200 Firebase databases to anyone who knows the right URL. In total, there are over 100 million personal records exposed.

Researchers found 28,500 apps that used Firebase to connect and store user details, of which 3,046 stored their data inside a misconfigured Firebase database that was readable through the use of a JSON URL scheme. The majority of the apps that use Firebase are for Android, but 600 apps that exposed data are for iOS. The problem is platform-agnostic, and the apps in question aren't the culprit here. It's simply the database configuration on the backend.

The information leaked contains:

  • 2.6 million plaintext passwords and user IDs.
  • 4 million+ PHI (Protected Health Information) records.
  • 25 million GPS records.
  • 50 thousand financial including Bitcoin transactions.
  • 4.5 million Facebook, LinkedIn, corporate data-store user tokens.

Appthority informed Google about the database configuration and provided the list of affected apps before this report was published. We've reached out to see if Google has anything they would like to add and will update once it's received.

Appthority is no stranger to finding poorly configured online databases. Previously the company has found "critical" user data exposed through services like MongoDB, CouchDB, Redis, MySQL, and Twilio.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Great. Just great.
  • Is there any way to see the list of apps?
  • Doubtful. Listing the apps would be pretty irresponsible on Appthority's part because that would also give away the JSON argument needed to see the user data. The material they provide to press doesn't have them listed. Normally I'd be right there with you and want to know, but this time I'm OK with the special treatment.
  • I agree with Jerry. Imo, the best action is to let Google and the devs fix the problem and when all is fine and dandy the devs should issue an email or in-app message suggesting their users to change password and such. This might be risky for the devs because they might lose a lot of users but if they truly care then they will man up.
  • This is why you need UNIQUE random long passwords for EVERY individual account.
  • derp derp. I can't read.
  • So this is an internal database engine error? Using ( a rogue ) script to inadvertently pull data or transmit data seems to be an engine error or lack of contraints or validation in the script or programming language... Dunno... Interesting. That's why I like frequent updates...
  • Problem with Firebase is that you can't really encrypt your passwords because you are not using a server. If you have a server you can encrypt it there and then the information to Firebase. It's what I do on my app. Those devs are probably using Firebase directly connected to their mobile apps. I don't blame them, it is very easy to do.
  • Looking at Firebase information... "Firebase Authentication aims to make building secure authentication systems easy, while improving the sign-in and onboarding experience for end users. It provides an end-to-end identity solution, supporting email and password accounts, phone auth, and Google, Twitter, Facebook, and GitHub login, and more. FirebaseUI provides a customizable, open source, drop-in auth solution that handles the UI flows for signing in users. The FirebaseUI Auth component implements best practices for authentication on mobile devices and websites, which can maximize sign-in and sign-up conversion for your app." I have never done any HIPPA work, but - that - seems a bit open for my interpretation of being HIPPA compliant...? Or am I wrong?
  • Jerry, this article you wrote appears to be a slightly condensed, but nearly identical variation of the Catalin Cimpanu article posted June 23 at 5am on the security news oriented web site. No, I'm not accusing Jerry of plagiarism. It could be explained that Catalin ok'd Jerry's article a week after it's original publication. Indeed, Jerry also provided a link to the original article, and original researchers. gets exposure to the more general Android Central audience. Some interesting stuff on the web site.. I added it to my home screen... So it worked. It's only a problem if Jerry didn't get permission.
  • And so what if he did? Not going to hurt me, you, or anyone else. It can only hurt him. But I’m sure he had permission and if he didn’t, I still learned something today.
  • I think the next big question is whether this is a flaw on Google's end or a misconfiguration on the developer's end who configured their app's database? Kind of in the same manner where companies leave cloud storage buckets open to the world that should not be.
  • In this day and age I find it incredible that passwords are stored in plain text. Unfortunately it's way too common.
  • This. Just amazing. Amateur hour indeed.
  • Backend leaks are so embarrassing.
  • Wow.
    Another reason to look for alternatives to iOS and Android and try as much as possible to stay away from apps and use web versions where possible. Can't wait for that Librem 5 phone. Jerry, please can you write something about his amazing open source project from Pure OS (almost in final stage) ? :)
  • Nothing to do with iOS or Android. It is the apps fault. Also, as the web site would have the same backend configuration then it too would be vulnerable.
  • Sorry, I'm illiterate to read between the lines. All I saw was Apps here , Apps there and this whole article to me looked like it was about the apps across all platforms.
    However, what i meant to say is that if one chooses to use less Apps it will make him/her more safe. That's a fact even if it has nothing to do with this specific issue. Apps collect too much of our data.
    What is also a fact, is that if one is concerned about the privacy, Android is designed to collect your data to make profits for Google and your experience using better - more convenient.
    there is a demand - market, for those seeking protection while willing to sacrifice some features &
    put up with other "inconveniences". Essentially paying more.
    So, I really hope we see some quality products to fill this gap.
  • OS update would have protected users....
  • Wrong. Reading is hard.
  • This has not been a good week for Android security. And that's very troubling.
  • Wrong, nothing to do with Android.
  • But everything to do with Google...
  • If it affects mostly Android devices, then it has a lot to do with Android.
  • As a developer, I can tell you that this is not an Android, Google or Firebase issue. It is a developer issue. By default, Firebase doesn't add any security rules to any of their services including the database. It is the developer's responsibility to add those rules, which, quite frankly, are stupid easy to implement. If a developer fails to do such, all one needs to do is get the url of the request and you can potentially see all the data from the database in json format.
  • Good to know, and I assume the major apps on my phone from banking and email services as well as the well known social media apps won't be effected?
  • Wow.
    Maybe Firebase should by default add some level of protection. I've worked with different types of databases from Access to SQL Server on the Windows side - and they pretty much at least - default - out to password protect their databases... The database should always close after each transaction... Or time out on the server side... Now - Object Databases - I have not worked with... or with Firebase. Regardless - this does not boad well for the quality of those apps or the ability of those - so called developers... and having those discretionary apps on Google Play - that is questionable at best...
  • Great just great.
  • Great thanks.
  • Great
  • Ok
  • Microsoft should tell the world about this... Google would if rolls were reversed...
  • If rolls were reversed, you'd get butter on the table!
  • Ha ha ha... Got me there... 😁
  • Except it has nothing to do with Android.
  • But it has everything to do with Google...
  • Nope
  • As I understand it these very insecure apps are in the Google app store?
    The app store we are led to believe is safe because Google polices it?
  • The "4 million+ PHI (Protected Health Information) records" IF they really are PHI, is an extremely serious issue that could land developers in jail with crushing financial penalties. PHI is not even allowed to be emailed. Exposing PHI is unlike other kinds of data breaches. HIPPA rules - which cover PHI have some very nasty penalties including jail time and fines PER INCIDENT which are escalated in severity to cover repeat/indifferent offenders and if these really do qualify as PHI and if HIPPA's enforcement becomes aware of this... those developer's are about to have a very, very bad day.
  • If it is a developer or team that is responsible - yes - they are going to have very tough times ahead of them.
  • This problem can only be either complacency or sabotage by a disgruntled employee.
  • Best to stop ******* off the very employees that are responsible for so much within a company...