New investigation: 19,300 Android apps from Latin America & Southeast Asia PlayStore leak users’ personal data

Researchers at security firm Avast published a report related to Firebase, a Google platform for developing web applications and mobile apps as well. This is a platform that facilitates the development of complex applications, especially projects for the Android operating system.

In July 2021, the firm concluded a months-long investigation, analyzing up to 180,300 Firebase instances and finding that at least 19,300 of these deployments (more than 10% of the instances analyzed) were fully exposed. These resources expose user data due to multiple configuration errors by developers, leaving users of these applications vulnerable.

These addresses were extracted both statically and dynamically from different sources, mainly from Android applications developed on Firebase.

Due to the nature of the information exposed, users of the apps linked to these projects can be exposed to severe risks. According to the report, some implementations expose all kinds of sensitive information, including names, dates of birth, phone numbers, email addresses, location details and, in extraordinary cases, passwords in plain text.

It is worth mentioning that many of these risks depend on the work of the developer. If negligent use of the platform and user data is made, threat actors will have a much easier job.

Avast experts note that the problem extends to users in various regions of the world, including Latin America, the European Union, Russia and South Asia. Because Firebase databases allow you to store paid application information, the risk increases for affected users.

For obvious reasons this analysis only considered a sample of all Firebase instances in existence. In fact, Avast believes that up to 11% of all projects on this development platform could be similarly affected today.  

The research was presented to Google, which pledged to notify affected developers, recommending implementing some fixes in its current Firebase usage policy. Fortunately, the company already has some additional security features for data protection in Firebase, including the use of notifications and alerts via email about possible configuration errors.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.