Thousands of Android and iOS apps leaking data due to misconfigured Firebase databases

Last updated:

Thousands of Android and iOS mobile apps are exposing over 113 GBs of data via over 2,271 misconfigured Firebase databases, according to a report released this week by mobile security firm Appthority. Firebase is a popular cloud-based backend platform for mobile and web applications from Google that contains a huge collection of services that mobile developers can use in the creation of mobile and web-based apps.

The service is popular with top Android devs, providing cloud messaging, push notifications, database, analytics, advertising, and a bunch more of other backends and APIs that they can easily plug into their projects and benefit from Google’s large-scale and high-performance systems within their apps.

Starting from January 2018, Appthority researchers scanned mobile apps that used Firebase systems to store user data, analyzing the app’s communications pattern for requests made to Firebase domains. Researchers searched in particular for apps that connected to Firebase-based JSON URLs that when accessed directly, allowed any unauthorized third-party to view all the app’s data.

After scanning more than 2.7 million iOS and Android apps, researchers said they identified 28,502 mobile apps (27,227 Android and 1,275 iOS) that connected and stored data inside Firebase backends.

Of these, 3,046 apps (2,446 Android and 600 iOS) saved data inside 2,271 misconfigured Firebase databases that allowed anyone to view their content.

In total, the databases exposed more than 100 million records of user data. The leaked information weighed more than 113 GBs and included data such as:

  • 2.6 million plaintext passwords and user IDs
  • 4 million+ PHI (Protected Health Information) records (chat messages and prescription details)
  • 25 million GPS location records
  • 50 thousand financial records including banking, payment and Bitcoin transactions
  • 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens

Appthority says the Android versions of the leaky apps alone have been downloaded more than 620 million times from the official Google Play Store, suggesting some pretty popular apps were running on top of these leaky backends.

The security firm also said it notified Google about this issue before publishing its report and provided a list of affected apps and Firebase database servers.

They say they have also reached out to the app developers themselves. While the list of vulnerable apps have not been made public, they include apps in categories ranging from messaging and finance to health and travel. The companies or creators behind these affected apps are located around the world.

Rapid Mobile

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.


By continuing to use our site or clicking I Accept, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.


You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.


Privacy Settings saved!
Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site.

We track anonymized user information to improve our website.
  • _ga
  • _gid
  • _gat

Decline all Services
Accept all Services