Popular mobile role-playing game (RPG) Guidus spilled data about users’ game progress.
The research by Cybernews has discovered that the Guidus app had sensitive data hardcoded into the client side of the app, making it vulnerable to data leaks.
Guidus is a popular mobile pixel RPG game with more than 100,000 downloads on the Google App store. The game’s narrative invites the player to fight one’s way through dungeons to reclaim the royal palace and rescue the true heir to the realm. The app has a 4.2-star rating (out of 5) based on over 16,000 reviews.
The app developers were informed of the data spill but failed to close public access to the database. However, at the time of writing, the app’s firebase instance had so much data that acquiring it all in one run became impossible for threat actors due to Google’s data transferring policies, in effect rendering the instance as having a too large payload to be acted upon.
Researchers discovered that Guidus was leaking data through unprotected access to Firebase, Google's mobile application development platform that provides cloud-hosted database services.
The app spilled information about users' game progress, including anonymized tokens used by gamers as ‘in-game’ curries and as digital markers to track progress. If the data leaked had not been backed up and a malicious actor had chosen to delete it, it is possible that the user's progress in the game would have been permanently lost without the possibility of recovery.
Along with the open Firebase instance, the developers of the app had left keys hardcoded into the client or user side that might have given threat actors access to sensitive data that they could then use to target victims.
The keys that were found hardcoded into the client side of the app were as follows: firebase_database_url, gcm_defaultSenderId, default_web_client_id, google_api_key, google_app_id, google_crash_reporting_api_key, google_storage_bucket.
“Hardcoding sensitive data into the client side of an Android app is a bad idea,” said the Cybernews research team. “In most cases, it can be easily accessed through reverse engineering.”
Leaky Android Apps
Guidus is one of the thousands of apps on the Google Play store vulnerable to data leaks.
Earlier this year, Cybernews analyzed over 33,000 Android apps and found that the most sensitive types of hardcoded secrets left exposed were application programming interface (API) keys used to authorize projects, links to open Firebase datasets, and Google Storage buckets.
Results showed that over 14,000 apps had Firebase URLs on their front end. Out of these, 600 were links to open Firebase instances. This means that by examining the public information of an app, a malicious actor could gain access to its open database and potentially access user data.
The five categories of apps that contained the most hardcoded secrets were health and fitness, education, tools, lifestyle, and business.
More from Cybernews:
Subscribe to our newsletter