Firebase: Personal Data Leak on Certain Android Apps

Acquired by Google in 2014, Firebase is a mobile platform that helps users develop applications quickly and securely. It is the favorite platform of many developers for its cloud synchronized database. It facilitates collaboration between different platforms, and is accessible to the general public.

It guarantees developers to configure their applications securely. But new research from Comparitech suggests that due to configuration errors, some Firebase applications expose sensitive information, including passwords, phone numbers, and digital messages, to anyone who wants to see it. Here's what you need to know.

Android application configuration errors

A Comparitech research team led by Bob Diachenko analyzed a collection of 515,735 Android apps available on Google Play. Of these, 155,066 were using Firebase. According to the analysis from Comparitech, 11,730 of these applications publicly exposed user databases.

Worse, 9,014 exposed the write permissions necessary to allow a potential attacker to modify data, including adding or removing it, as well as viewing or downloading it. The analysis also found that 4,282 apps leaked sensitive information.

According to the report, this data included 7 million email addresses, and almost as many email messages. Not to mention that 4.4 million usernames and 1 million passwords were leaked, as well as 5 million phone numbers released. These figures are particularly disturbing, but they must be put in context. It was estimated that more than 1.5 million applications were using the Firebase platform, on Android and iOS, in March 2020. Even if we extrapolate from the figures of the analysis, as did Comparitech, this does not represents 1.6% of all apps using Firebase and 0.94% of all apps available for download from Google Play.

Hunting Dangerous Firebase Applications

Comparitech researchers were able to flush out dangerous applications by searching the resources for text strings indicating the use of Firebase. Then, by adding a request to the database URL, they were able to access public data via the Firebase REST API for the stored data. Researchers wanted a denial of access response as it would indicate non-public exposure, but as the report shows, they often ended up with the full content of the database. This is where the researchers had access to sensitive information which was then manually verified to detect false positives.

"All of the data accessed has been destroyed," said the researchers. They ensured that their research was "fully compliant with safety standards and procedures". To reveal any write access to the databases, a PUT request was used to create a new node and then delete it.

Reduce the risk of configuration errors

As with all database leakage problems related to a configuration error, the procedure is quite simple: care must be taken to ensure that the database is correctly configured when it is set up. Unfortunately, it's not as simple as that.

So, of course, the advice offered to developers regarding rules and database protection is legitimate. Recommend that application developers follow the guidelines as defined in Google's Firebase documentation should be self-evident, but it isn't.

This has been demonstrated many times, poorly configured databases give rise to reports of data leaks. Indeed, at the start of this year, it was reported that an astonishing 82% of security breaches were due to configuration errors of all kinds.

Does the responsibility rest only on Google and Firebase?

Besides the fact that it is not useful to look for a culprit, everything is not black or white. "Anyone who doesn't think that IT and software development is not a dangerous process just doesn't understand how it all works," said Ian Thornton-Trump, CIO at Cyjax, "The problem is not the error, but our reaction to it ”.

Security expert John Opdenakker agrees and says that the solution lies in "a secure software development system because it integrates security into the process, and as such, the time it takes. security configuration can be fully planned ”.

If there's one thing that hurts developers, it's time. Sean Wright, Application Security Trainer and Co-Director ofOpen Web Application Security Project (OWASP) is convinced of this. "One thing I have seen so often is that many developers are under constant pressure to launch their applications," says Wright. "This means that in the end, they will take the shortest route to launch it as soon as possible."

So it's not uncommon for application developers to refer to already existing examples of database security systems rather than the original documentation. "It's okay if they copy a secure system," says Wright, "but more often than not it isn't. Developers need to understand what they are doing, but given the time constraints they are under, this is often impossible. "

But what does Google say about the configuration error?

Comparitech researchers informed Google of the report's findings on April 22 and received the following statement in response:

“Firebase offers a number of features that help our developers configure their applications securely. We provide notifications to developers about possible configuration errors and offer recommendations for fixing them. We’re reaching out to affected developers to help resolve these issues. "

Translated from Forbes US – Author: Davey Winder

<<< À lire également : Alphabet (Google) : Des Résultats Solides Malgré La Crise >>>



Categories Tech

Leave a Comment