Android puzzle game with over one million downloads reveals user information

Fruits Mania, a well-known and trustworthy puzzle game, is one of the thousands of apps on the Google Play store that have private information hard-coded into the client side of an app.

As a result, threat actors can easily get access to unprotected databases, Google Storage buckets, and API (application programming interface) keys by studying publicly accessible data about apps.

More than a million people have downloaded Fruits Mania: Belle’s Adventure from the Google Play store. The app had a 4.7-star (out of 5) rating at the time this article was being written, based on more than 17,000 reviews.

Significance

Over 14,000 Firebase URLs were found on the front end of an Android app after thorough Cybernews research on over 33,000 Android apps. 600 or more of them contained links to active Firebase instances.

One of the applications that exposed user information was Fruits Mania: Belle’s Adventure, which left an open database.

Developers of the casual game, where you must match three tiles to progress, left a 240MB-strong database with user IDs and game progress data accessible to the public.

“Since the Firebase was left open to public access without any authorization, a threat actor could have wiped out the player’s game progress, and if no backups were done, this action could have been irreversible,” Cybernews research team said.

The app also leaked other sensitive hard-coded secrets, including Google Storage bucket addresses and Google API keys.

In accordance with the Cybernews responsible disclosure procedure, we have informed the developer about the security issue. Fortunately, they secured their client data, and the database was protected at the time of writing.

“Unfortunately, the developers did not provide us with a response as to how long this instance has been available to the public, or whether threat actors could use the hardcoded secrets to achieve subsequent sensitive data leakage,” Cybernews research team explained.

Fruits Mania: Belle’s Adventure is not the only game with open datasets owned by the same developer, so Baubonis urges players to remain cautious, since Cybernews hasn’t checked whether other firebases belonging to games published by this developer were open or closed at the time of publishing.

Leaky Android Apps

When analyzing over 33,000 Android Apps, Cybernews researchers found more than 124,000 strings potentially leaking sensitive data.

Twenty-two unique types of secrets were discovered, with various API keys, open Firebase dataset URLs, and links to Google Storage buckets being the most sensitive ones.

We found the most hard-coded secrets in apps within these five categories: health and fitness, education, tools, lifestyle, and business.

“Hardcoding sensitive data into the client-side of an Android app is a bad idea. In most cases, it can be easily accessed through reverse-engineering,” Cybernews research team said.

Suggest an edit to this article

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

• Globally, 30,000 websites are hacked daily.
• 64% of companies worldwide have experienced at least one form of a cyber attack.
• There were 20M breached records in March 2021.
• In 2020, ransomware cases grew by 150%.
• Email is responsible for around 94% of all malware.
• Every 39 seconds, there is a new attack somewhere on the web.
• An average of around 24,000 malicious mobile apps are blocked daily on the internet.