The Fruits Mania: Belle's Adventure game – where players solve puzzles in an attempt to save the "poor fairies from the greedy raccoons" – leaked gamers' progress data.
A popular and reputable puzzle game, Fruits Mania is one of thousands of apps on the Google Play store with sensitive data hard-coded into the client side of an app.
This means that threat actors can get their hands on API (application programming interface) keys, Google Storage buckets, and unprotected databases, and exploit that information simply by analyzing publicly available information about apps.
Fruits Mania: Belle's Adventure has over a million downloads on the Google Play store. At the time of writing this article, the app had a 4.7-star (out of 5) rating based on over 17,000 reviews.
Cybernews has discovered a flaw that, if exploited, could mess up the game for its fans.
Comprehensive Cybernews research of over 33,000 Android apps led to the discovery of more than 14,000 Firebase URLs on the front end of an Android app. Over 600 of them were links to open Firebase instances.
Fruits Mania: Belle's Adventure was one of the apps that left an open database, exposing user data.
Developers of the casual game, where you must match three tiles to progress, left a 240MB-strong database with user IDs and game progress data accessible to the public.
"Since the Firebase was left open to public access without any authorization, a threat actor could have wiped out the player’s game progress, and if no backups were done, this action could have been irreversible," Cybernews research team said.
The app also leaked other sensitive hard-coded secrets, including Google Storage bucket addresses and Google API keys.
In accordance with the Cybernews responsible disclosure procedure, we have informed the developer about the security issue. Fortunately, they secured their client data, and the database was protected at the time of writing.
"Unfortunately, the developers did not provide us with a response as to how long this instance has been available to the public, or whether threat actors could use the hardcoded secrets to achieve subsequent sensitive data leakage," Cybernews research team explained.
Fruits Mania: Belle's Adventure is not the only game with open datasets owned by the same developer, so Cybernews urges players to remain cautious, since Cybernews hasn't checked whether other firebases belonging to games published by this developer were open or closed at the time of publishing.
Leaky Android Apps
When analyzing over 33,000 Android Apps, Cybernews researchers found more than 124,000 strings potentially leaking sensitive data.
Twenty-two unique types of secrets were discovered, with various API keys, open Firebase dataset URLs, and links to Google Storage buckets being the most sensitive ones.
We found the most hard-coded secrets in apps within these five categories: health and fitness, education, tools, lifestyle, and business.
“Hardcoding sensitive data into the client-side of an Android app is a bad idea. In most cases, it can be easily accessed through reverse-engineering,” Cybernews research team said.
More from Cybernews:
Subscribe to our newsletter