- Researchers found that a massive number of Android apps are essentially leaking sensitive user data.
- Some of these apps even allow writing permissions to anyone out there, so actors could push malware to the users.
- Google is already taking action to mitigate the risks, but many app developers are simply negligent.
According to an insightful report by Comparitech, there’s a large number of Google apps that are misusing Google Firebase, practically leaking user data. Approximately 1.5 million applications are using the Firebase mobile platform, and unfortunately, there are about 24,000 who have failed to secure the data that are stored on the service properly. A security research team led by Bob Diachenko has analyzed roughly 18% of all apps on the Google Play store (which means 515,735 apps), and found that 0.83% of them are leaking sensitive user data. By extrapolating their findings, they estimated that about 24,000 apps out there are subject to the same risks.
Having to deal with such a large number of applications, the team couldn’t possibly inform them one by one hoping that they will all take action. Instead, they told Google about this problem, as they could implement additional measures that would prompt the app developers to secure their data on Firebase. Google responded by saying that they are already offering a large number of features geared towards the configuration of secure deployments on Firebase, and they are even sending notifications to the developers when they detect misconfigurations.
That said, Google feels that they are doing enough, but this is obviously not working in at least 24,000 cases. So, what information is it that these apps are leaking? The Comparitech team reports the following figures in regards to that:
- E-mail addresses: 7,000,000+
- Usernames: 4,400,000+
- Passwords: 1,000,000+
- Phone numbers: 5,300,000+
- Full Name: 18,300,000+
- Chat messages: 6,800,000+
- GPS data: 6,200,000+
- IP addresses: 156,000+
- Street addresses: 560,000+
Now, considering that each person has multiple apps installed on their devices, the chances of not having at least one leaking app that compromises their privacy are dropping down to zero. The analyzed data found mostly problems with database exposure, but some even provided write permissions. It means that actors could potentially inject data into the app, phish or scam the users, and even push malware on their devices.
So, if the application developers are ignoring Google’s notifications, and since we don’t know which apps are risking our privacy, then what can we do about it? People are advised to only trust apps that have a good rating coming from a large number of users. Moreover, you should avoid uploading sensitive information on any app, and you should always use unique and strong passwords on all apps, even on the most “insignificant” ones.