© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Android puzzle game with 1m+ downloads exposed player data

The Fruits Mania: Belle's Adventure game – where players solve puzzles in an attempt to save the "poor fairies from the greedy raccoons" – leaked gamers' progress data.

A popular and reputable puzzle game, Fruits Mania is one of thousands of apps on the Google Play store with sensitive data hard-coded into the client side of an app.

This means that threat actors can get their hands on API (application programming interface) keys, Google Storage buckets, and unprotected databases, and exploit that information simply by analyzing publicly available information about apps.

Fruits Mania: Belle's Adventure has over a million downloads on the Google Play store. At the time of writing this article, the app had a 4.7-star (out of 5) rating based on over 17,000 reviews.

Cybernews has discovered a flaw that, if exploited, could mess up the game for its fans.


Comprehensive Cybernews research of over 33,000 Android apps led to the discovery of more than 14,000 Firebase URLs on the front end of an Android app. Over 600 of them were links to open Firebase instances.

Fruits Mania: Belle's Adventure was one of the apps that left an open database, exposing user data.

Developers of the casual game, where you must match three tiles to progress, left a 240MB-strong database with user IDs and game progress data accessible to the public.

"Since the Firebase was left open to public access without any authorization, a threat actor could have wiped out the player’s game progress, and if no backups were done, this action could have been irreversible," Cybernews research team said.

Open URL

The app also leaked other sensitive hard-coded secrets, including Google Storage bucket addresses and Google API keys.

In accordance with the Cybernews responsible disclosure procedure, we have informed the developer about the security issue. Fortunately, they secured their client data, and the database was protected at the time of writing.

"Unfortunately, the developers did not provide us with a response as to how long this instance has been available to the public, or whether threat actors could use the hardcoded secrets to achieve subsequent sensitive data leakage," Cybernews research team explained.

Fruits Mania: Belle's Adventure is not the only game with open datasets owned by the same developer, so Cybernews urges players to remain cautious, since Cybernews hasn't checked whether other firebases belonging to games published by this developer were open or closed at the time of publishing.

Leaky Android Apps

When analyzing over 33,000 Android Apps, Cybernews researchers found more than 124,000 strings potentially leaking sensitive data.

Twenty-two unique types of secrets were discovered, with various API keys, open Firebase dataset URLs, and links to Google Storage buckets being the most sensitive ones.

Main statistics

We found the most hard-coded secrets in apps within these five categories: health and fitness, education, tools, lifestyle, and business.

“Hardcoding sensitive data into the client-side of an Android app is a bad idea. In most cases, it can be easily accessed through reverse-engineering,” Cybernews research team said.

More from Cybernews:

Sony and Lexar's encryption provider leaked sensitive data for over a year

From NASA to TJX Companies hackers: five notorious cybercriminals who saw jail time

Twitter quietly ditches its COVID misinformation policy

Putin embraces digital currency as sanctions cripple Russia’s economy

Hackers exploit trending TikTok challenge to deliver malware

Twitter is banned in China, but downloads surge as protestors look for authentic information

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked