How Thousands of iOS and Android Apps Are Collectively Leaking Data of Millions of Users
Millions of passwords and financial records are up for grabs with users having no clue. A new report from security researchers at Appthority reveals that both Android and iOS apps are using Firebase databases to store their users' data. While a popular cloud-based backend platform for mobile and web applications, researchers have discovered thousands and thousands of unprotected databases putting users information in plain sight.
The problem is with how careless developers are failing to properly authenticate the Google Firebase cloud database that promises to make app development easier.
Researchers looked into over 2.7 million apps on both iOS and Android, discovering 27,227 Android apps and 1,275 iOS apps storing their app’s data in Firebase database systems. 3,046 of these apps saved data within 2,271 unsecured databases with open access. 2,446 of these apps that are putting personal user data at risk are on Android and over 600 are iOS apps. Appthority also said that over 24,000 iOS apps in enterprise environments are accessing personal data for advertising purposes.
Over 113 gigabytes of data with over 620 million app downloads make it a serious security breach with no one taking the responsibility because it appears to be a trend to ignore basic security protections. Among the data available for anyone to access, includes:
- 2.6 million user IDs and passwords in plain text
- 25 million GPS location records
- 50,000 financial transaction records
- Over 4.5 million social media platform user tokens
- 4 million PHI (Protect Health Information) records, including private chats and prescription records
While the list of these apps hasn't been released, researchers wrote that apps ranging from finance to health, travel and messaging are included with their developers located around the world. Google has been notified with the full list of these apps that are putting user data at risk. It is unclear at the moment if Apple has also been updated with the list of unsecure iOS apps.
"This failure by developers to properly secure their Google Firebase databases is a significant and critical mobile vulnerability exposing vast amounts of sensitive data,” Seth Hardy, Appthority director of security research, said. “The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security.”