Prague, Czech Republic, September 6, 2021 – Avast (LSE:AVST), a global leader in digital security and privacy, has found over 19,300 Android apps exposing user data to the public due to a misconfiguration of the Firebase database, a tool Android developers can use to store user data. This affects a broad range of different apps, from lifestyle, workout, gaming to mail and food delivery apps in regions worldwide including in Europe, South-East Asia and Latin America. 

Data exposed can include personally identifiable information (PII) collected by the apps, such as names, addresses, location data, and in some cases even passwords. Avast notified Google of its findings so they could inform app developers to take corrective action.  

Developers can use Firebase to facilitate developing mobile and web apps for the Android mobile platform, and they can keep their Firebase implementation visible to other developers so, technically, also visible to the public. When Avast Threat Labs researchers looked at 180,300 publicly available Firebase instances, they found that over 10% (19,300) were open, exposing the data to unauthenticated developers. These were open due to misconfiguration by the app developers.

These open instances put the data stored and used by the apps developed with Firebase at risk of theft. The data these apps store can include a variety of information such as personally identifiable information (PII) like names, birthdates, addresses, phone numbers, location information, service tokens and keys among other things that could be exposed by this. When developers use bad security practices, records can even contain plain text passwords.

“Each one of these open instances is a data breach event waiting to happen and can pose critical business, legal and regulatory risks if they happen. Potentially the personal information of over 10% of users of Firebase-based apps could be at risk,” explained Vladimir Martyanov, Malware Researcher at Avast. “Today, any company has an app - shops, gyms, postal services, or even environmental and donation apps, built for convenience, and often with good causes in mind. Even more so businesses should insist on a responsible development of their apps, making security and privacy a key part of the entire app development process, not just as a later ‘bolt on.”

Avast recommends developers to stay informed about potential risk of misconfigured databases and follow the best practices that Google has provided.

“We urge all developers to check their databases and other storage for possible misconfigurations to protect users' data and make our digital world safer,” said Vladimir Martyanov.

For more information, please read the full blog and research on Avast Decoded.