Misconfiguration sees Android user data at risk of being exposed
Digital security and privacy firm Avast has found more than 19,300 Android apps exposing user data to the public due to a misconfiguration of the Firebase database, a tool Android developers can use to store user data.
This affects a broad range of different apps, from lifestyle, workout, gaming to mail and food delivery apps in regions worldwide.
According to Avast research, data exposed can include personally identifiable information (PII) collected by the apps, such as names, addresses, location data, and in some cases even passwords. Avast notified Google of its findings so it could inform app developers to take corrective action.
Developers can use Firebase to facilitate developing mobile and web apps for the Android mobile platform, and they can keep their Firebase implementation visible to other developers so, technically, also visible to the public. When Avast Threat Labs researchers looked at 180,300 publicly available Firebase instances, they found that more than 10% (19,300) were open, exposing the data to unauthenticated developers. These were open due to misconfiguration by the app developers.
These open instances put the data stored and used by the apps developed with Firebase at risk of theft. The data these apps store can include a variety of information such as personally identifiable information (PII) like names, birth dates, addresses, phone numbers, location information, service tokens and keys among other things that could be exposed by this. When developers use bad security practices, records can even contain plain text passwords.
“Each one of these open instances is a data breach event waiting to happen and can pose critical business, legal and regulatory risks if they happen," says Vladimir Martyanov, malware researcher at Avast.
"Potentially the personal information of over 10% of users of Firebase-based apps could be at risk,” he says.
“Today, any company has an app - shops, gyms, postal services, or even environmental and donation apps, built for convenience, and often with good causes in mind. Even more so businesses should insist on responsible development of their apps, making security and privacy a key part of the entire app development process, not just as a later ‘bolt-on.”
Avast recommends developers stay informed about the potential risk of misconfigured databases and follow the best practices that Google has provided.
“We urge all developers to check their databases and other storage for possible misconfigurations to protect users' data and make our digital world safer,” says Martyanov.