Appthority has discovered a significant mobile data vulnerability related to Google Firebase which has resulted in the exposure of a wide range and large amounts of sensitive data through thousands of mobile apps. The exposure is not due to malicious code, but simply to developer carelessness with securing their Firebase mobile app data stores.
Get the Full Story: Download the report
Enterprises are at significant risk from this vulnerability because 62% of enterprises have at least one vulnerable app in their mobile environment. The vulnerable apps are in multiple categories, including tools, productivity, health and fitness, communication, finance and business apps.
Worse, the data being leaked is highly sensitive including PII, PHI, plaintext passwords, social media account and cryptocurrency exchange private access tokens, financial transactions, vehicle license plate and geolocation information, and more.
Our Mobile Threat Team discovered over 2,300 unsecured Firebase databases and 3,000 unique iOS and Android apps with this vulnerability. The Android versions of these apps alone have been downloaded over 620 million times.
More than 100 million records are exposed, including:
- 2.6 million plain text passwords and user IDs
- 4 million+ PHI (Protected Health Information) records (chat messages and prescription details)
- 25 million GPS location records
- 50 thousand financial records including banking, payment and Bitcoin transactions
- 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens
See examples of apps that exposed sensitive data in the full report.
For context, Firebase is one of the most popular backend database technologies for mobile apps but does not secure user data by default. Developers must secure all tables and all rows of data in order to avoid data exposure. And, unfortunately, it takes little effort for attackers to find open Firebase app databases and gain access to millions of private mobile data app records.
In 2017, the Appthority Mobile Threat Team (MTT) discovered the HospitalGown vulnerability named for data leaking through backend data stores that are unsecured. The Firebase data exposure is a new variant of HospitalGown that occurs when mobile app developers fail to require authentication to a Google Firebase cloud database.
Get the Backstory: Download the HospitalGown report.
Full research findings on the Firebase data leakage vulnerability are shared in this Appthority Mobile Threat Report. The report includes more detail around our methodology, findings, and some examples of three specific apps (Workhive, Booster Fuels, and CryptoPort) that were leaking data (these apps are no longer vulnerable). It also contains recommendations for detecting the vulnerability and securing exposed data.
Appthority is the only mobile security vendor researching and protecting against these large scale back-end data exposures.
Download the report: Unsecured Firebase Databases: Exposing Sensitive Data via Thousands of Mobile Apps