It appears that nearly 24,000 apps on the Google Play store may have sprung data leaks. Unlike the Play Store malware and scams we often cover that actively steal or distribute user information, these apps are leaking data by accident due to a poorly configured Google Firebase, one of the most widely used Android app development platforms.
Firebase is used by nearly a third of all Play Store apps; according to research by Comparitech, around 4.8 per cent of those apps—around 24,000—store your data is improperly secured databases. These unsecured databases include tons of personal info like your email address, username, password, full name, phone numbers, copies of chat messages, street addresses, IP addresses, GPS data, credit card data, and more, and the databases can be accessed with just a quick web search. Google deletes Firebase databases from its search results, but they can be found with other search engines like Bing.
While 24,000 apps might seem like a small fraction of the Play Store’s massive library, Comparitech’s team found that many of the leaky apps are quite popular, with 4.22 billion collective downloads among those they tested—the most popular being games and education apps. With such high numbers, it’s quite possible that an app you’ve used has some of your data stored on an easily searchable database.
How to prevent your data from being leaked through Google Firebase
Unfortunately, the only way to completely prevent the data leaks is for each app’s developers to update their Firebase storage configuration; aside from not using these apps (which are not explicitly listed by Comparitech or elsewhere), there’s not much you can do on your end to stop this.
That said, you should use the same preventative measures as if you were concerned about malware Android apps—which you should be, too:
Keep shared data and personal identifying information to the bare minimum. That includes contact info like your name, address, and personal email/phone numbers; any financial or payment information; and other user data like your GPS and web browser history.
Don’t link your apps and accounts together if you don’t have to. While convenient, having everything connected makes it much easier for someone to break into multiple accounts.
Vet the apps you download. Comparitech recommends only downloading apps from verified and trusted publishers with high user ratings and large download numbers—but remember that these can be misleading, too. Take extra time to read through reviews, check what permissions an app asks for, and search for more information on your favourite search engine or web community before you install anything.
Use trustworthy antimalware and antivirus apps. While these won’t necessarily prevent your data from being exposed by the Google Firebase flaw, a good antivirus/antimalware app will reduce the chances of downloading malicious files and software onto your device.