When Apple announced that its mobile devices would use an app store as a way to install software, many believed that this would end a large part of the security problems computing. Google adopted the same model for Android and Microsoft brought it to the desktop in Windows 8.
Actually, Steve Jobs' idea was not new. Application stores are nothing more than the package managers that Linux users have been using for years. Y, it is not that it has served too much.
A few days ago, Was published the report of a group of researchers who analyzed 515,735 Google Play applications, something like 18% of the available offer. Of those, at least 4.282 apps had security issues that would allow sensitive information to be filtered. If the extrapolation was valid, a total of 24000 applications would present the same problem.
All flaws have a common origin; a platform owned by Google called Firebase. But, it seems not to be Google's fault if not configuration errors by developers.
Firebase is a mobile platform that helps users develop applications quickly and securely. It offers a real-time database hosted in the cloud that allows easy storage and synchronization of data between users.
Among other things, the platform provides developers with tools to:
- Authentication.
- Accommodation.
- Cloud storage.
- Real-time databases.
- Blood test.
- Posts.
- Integration of notices.
- Machine learning.
It is estimated that Firebase is used by 30 percent of all applications in the Google Play Store, which makes it the most popular storage solution for Android applications.
Android application security. The problem in numbers
4,8% of mobile applications that use Google Firebase to store user data are not properly protected, which pallows anyone to access the databases that contain users' personal information, to access tokens and other data without the need for a password or any other type of authentication.
Although the study focused on Android applications in the Google Play Store, Keep in mind that Firebase is a cross-platform tool that is used on various operating systems and platforms. These misconfigurations likely affect many more apps beyond Android.
Applications with security problems identified by researchers installed at least 4.220 billion times by Android users. A smartphone is known to have between 60 and 90 applications installed, which implies that each of us has a high chance of having at least one vulnerable application.
To have a sample of the magnitude of the exposures, we have these data:
- +7000000 email accounts.
- +4400000 usernames.
- +1000000 passwords.
- +5300000 phone numbers.
- +18300000 full names of users.
- +6800000 chat messages.
- +6200000 GPS data.
- +156000 IP addresses.
- +560000 street addresses.
Of the 155.066 applications analyzed, 11.730 had publicly exposed databases. 9.014 of them even included write, which would allow an attacker to add, modify or delete data from the server, as well as view and download it.
- These vulnerabilities would allow cybercriminals.
- Inject data into an application.
- Use the applications for phishing practices.
- Spread the malware.
- Corrupt the application database.
To make things easier for criminals, those databases can be found in search engines
Last December, a security researcher discovered that the exposed Google Firebase databases could be found on search engines operated by other companies.
Alex "Ghostlulz" Thomas, an independent security researcher and former analyst at the cybersecurity consulting firm Bishop Fox, posted a blog post in December demonstrating how the most configured Firebird databases could be found and downloaded. Just add .json at the end of the url to see them.
As users we can take some measures to protect ourselves:
- Do not reuse the same password on multiple accounts. It is recommended to use a password manager to generate and store strong random passwords.
- Use only trusted applications with a high number of patches and installations.
- Do not share sensitive personal information such as addresses, government identification photos, social security numbers, etc.