Meditation iOS app leaked over 100K users’ personal details

Last updated: 29 April 2025
iOS meditation app data leak
Image by Cybernews.

An iPhone app for tai chi (a mind-body practice) and meditation, 7 Minute Chi - Meditate & Move, exposed numerous customers, revealing their names and email addresses, the Cybernews research team has discovered.

People turn to meditation apps for many reasons: to sleep better, to attain peace of mind, or simply decompress. However, 7 Minute Chi - Meditate & Move pairs a search for calm with anxiety over data loss. The iOS app makers misconfigured a public Firebase instance, making customer details available to the public.

Apple‘s App Store doesn’t provide information on how many users downloaded a certain app, however, third-party estimates show that 7 Minute Chi - Meditate & Move could have been downloaded over 22,000 times.

ADVERTISEMENT

However, when researchers discovered the leaky instance, they found it revealed names and email addresses of over 100,000 users. The true scope of the leak could be far greater as the Firebase serves as a temporary database, which means that the actual amount of data stored by the service could be much higher.

Ernestas Naprys jurgita Paulina Okunyte Gintaras Radauskas
Stay informed and get our latest stories on Google News
Google News Follow us

Attackers are fully aware of how Firebase works and could use it to their advantage by setting up scrapers – automated programs that continuously request new data from the same resource, download and store responses from the resource.

“The data leaked from the app was sensitive as it may allow threat actors to obtain app users’ email addresses and launch spam or phishing campaigns against them,” the team explained.

We have reached out to the company behind the app for comment and will update the article once we receive a reply.

iOS apps’ secrets revealed

Worryingly, 7 Minute Chi - Meditate & Move data leak exposed more than customer details. Numerous app secrets on the client side of the application were revealed, including keys and IDs:

  • API Key
  • Client ID
  • Database URL
  • Google App ID
  • Project ID
  • Reversed Client ID
  • Storage Bucket
  • Facebook App ID
  • Fabric API Key
ADVERTISEMENT

Leaking app secrets pose severe security risks, as attackers can leverage them to gain high level access to user devices. At least in theory, malicious actors could bypass authentication systems and access sensitive customer data as well as manipulate services without being detected.

Compromised Google App IDs, Project IDs, or Facebook App IDs could allow attackers to exploit third-party services, charging legitimate users over data usage. Meanwhile, storage bucket credentials and database URLs are particularly dangerous as they could allow attackers to access data-filled repositories.

Apple apps leak secrets

However, 7 Minute Chi - Meditate & Move is one among many iOS apps leaking app secrets. The Cybernews research team has recently discovered numerous apps with devastating security issues. For example, a number of BDSM, LGBTQ+, and sugar dating apps have been found exposing users' private images, with some of them even leaking photos shared in private messages.

In other cases, our researchers discovered that apps meant to track family members, secretly store sensitive data, or help with private communications were leaking troves of sensitive data.

“The data leaked from the app was sensitive as it may allow threat actors to obtain app users’ email addresses and launch spam or phishing campaigns against them.”

The recent leak was uncovered during a large-scale investigation – Cybernews researchers downloaded 156,000 iOS apps, around 8% of all apps on the Apple Store, discovering that developers leave plaintext credentials in the application code accessible to anyone.

The findings revealed that 71% of the analyzed apps leak at least one secret, with an average app's code exposing 5.2 secrets.

How to fix leaky apps?

Researchers believe that to effectively mitigate the issue, it’s best to focus on Firebase instances and hardcoded secrets separately. To fix Firebase-related issues, the team advised to:

ADVERTISEMENT
  • Make use of appropriate Firebase security rules in order to make sure only authorized and authenticated users and services can access stored data.

“The Firebase instance used by the app was exposed and publicly accessible, allowing threat actors to connect to the database and “scrape” it in real-time, gaining access to information about any actions made by their users, including access to customer details,” our researchers said.

Meanwhile, to prevent apps’ secrets from falling into the wrong hands, the team advised to:

  • Remove sensitive Secrets from the client side of the application and place them on the server side of the application, proxying traffic through your own infrastructure to third-party services used by the app.

“Hardcoded secrets allow threat actors to enumerate infrastructure used by the app. If any authentication secrets are present, it may also allow threat actors to abuse the affected services in order to harvest user data or use the services for their own, unauthorized purposes,” the team explained.

  • Leak discovered: January 7th, 2025
  • Initial disclosure: January 15th, 2025
  • CERT contacted: February 13th, 2025
Share
Post
Share
Share
Share
More from Cybernews
US mental health clinic hack exposes tens of thousands
DDoSecrets publishes 410 GB of messages from hacked Signal clone used by Mike Waltz
Huawei’s latest laptop becomes the first foldable PC for a solid price
Your AI isn’t safe: How LLM hijacking and prompt leaks are fueling a new wave of data breaches
23andMe customer data will be used for drug research following acquisition, Regeneron says
Elton John slams UK's AI copyright plans as ‘criminal’
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked