Thousands of iOS and Android mobile applications are exposing over 113 GBs of data via over 2,271 misconfigured Firebase databases, according to a report released this week by mobile security firm Appthority.
Firebase is a Backend-as-a-Service offering from Google that contains a vast collection of services that mobile developers can use in the creation of mobile and web-based apps.
The service is insanely popular with top Android devs, providing cloud messaging, push notifications, database, analytics, advertising, and a bunch more of other backends and APIs that they can easily plug into their projects and benefit from Google's large-scale and high-performance systems within their apps.
Starting with January 2018, Appthority researchers scanned mobile apps that used Firebase systems to store user data, analyzing the app's communications pattern for requests made to Firebase domains.
Researchers searched in particular for apps that connected to Firebase-based JSON URLs that when accessed directly, allowed any unauthorized third-party to view all the app's data.
After scanning more than 2.7 million iOS and Android apps, researchers said they identified 28,502 mobile apps (27,227 Android and 1,275 iOS) that connected and stored data inside Firebase backends.
Of these, 3,046 apps (2,446 Android and 600 iOS) saved data inside 2,271 misconfigured Firebase databases that allowed anyone to view their content.
In total, the databases exposed more than 100 million records of user data. The leaked information weighed more than 113 GBs and included data such as:
Appthority says the Android versions of the leaky apps alone have been downloaded more than 620 million times from the official Google Play Store, suggesting some pretty popular apps were running on top of these leaky backends.
The security firm also said it notified Google about this issue before publishing its report and provided a list of affected apps and Firebase database servers.
This is not the first time that Appthority finds that app backend servers are exposing critical user data. Last year, the company published the HospitalGown report in which it revealed that over 1,000 apps exposed over 43 TBs of user data via MongoDB, Redis, CouchDB, Elasticsearch, and MySQL backend servers.
Also last year, Appthority researchers discovered that tens of developers had left API credentials in hundreds of applications built around the Twilio service, exposing customers' private call recordings and SMS text messages.