Firebase is a popular mobile platform that offers the ability to develop apps fast and securely. Its popularity among app developers is quite high as it offers access to a real-time database hosted in a cloud environment, facilitating convenient storage and data synchronization between users. It is also a solid choice for cross-platform apps and comes with the benefit of serverless app development.
However, the security benefits offered by Firebase aren’t as powerful if the database is not configured correctly, and some developers may have landed in hot water. A new study conducted by a cybersecurity company argues that basic misconfigurations of the database can lead to major risks as sensitive data will be exposed.
The survey conducted by the company explored a lot of 615,730 apps present on the Google Play Store. More than 155,000 of these apps were relying on Firebase, and 11,730 of them were poorly configured, exposing the Firebase database publicly. The problem becomes even more acute as 9,014 included the write permissions, which are needed to remove or add data besides gaining access to it in the first place. It was also revealed that more than half of the apps were also able to leak sensitive information.
Attackers could gain to more than 7 million email addresses and a similar number of chat messages. A combination of 4.4 million usernames and 1 million passwords were also available. There are also 5 million phone numbers that can be harvested and used for nefarious purposes.
While the numbers may seem high, it is important to highlight the fact that only 1.6% of all apps use Firebase. The number is even lower when availability on Google Play is taken into account.
The security analysts who conducted the research destroyed all the accessed data, and a series of recommendations have been released for developers who use or wish to use Firebase for their apps.