An iPhone app to battle insomnia, Sleep Journey: Insomnia Helper, exposed tens of thousands of users, revealing their names, alcohol habits, and other private data.
Stress is hardly a cure for insomnia. Meanwhile, an iOS app meant to help users fall asleep could become a headache instead. The Cybernews research team discovered that Sleep Journey: Insomnia Helper exposed numerous users.
Since Apple’s App Store doesn’t disclose how many times a certain app has been downloaded, we don’t know how many people have installed it. Third parties estimate that the app has been downloaded over 30,000 times.
What we do know is that the app's owners left a misconfigured Firebase server, exposing personal details of over 25,000 people. The true scope of the leak could be far greater, as the Firebase serves as a temporary database, which means that the actual amount of data stored by the service could be much higher.
“The app aims to help people with health and quality of life; however, due to security misconfigurations, it may inadvertently achieve the opposite, as the app leaks personal information, personally identifiable information, and health information that could be abused by threat actors,”
researchers said.
Moreover, attackers could set up data scrapers – automated programs that continuously request new data from the same resource, download and store responses from the resource.
“The app aims to help people with health and quality of life; however, due to security misconfigurations, it may inadvertently achieve the opposite, as the app leaks personal information, personally identifiable information, and health information that could be abused by threat actors,” the team explained.
The app is sold by Cyprus-registered company Fitsia Holdings Limited. We have reached out to them for comment and will update the article once we receive a reply.
What data the iOS app exposed?
According to the researchers, the misconfigured Firebase instance had a treasure trove of personal user details such as:
- Names
- Email addresses
- Dates of birth
- Gender
- Sleeping data
- Habits, such as alcohol and nicotine consumption
- Before sleep activities
- Medication use
Leaking personal data together with health information is lucrative for cybercrooks as it allows them to develop targeted attacks with the most sensitive personal details related to people’s well-being.
“This information could be abused by malicious actors for phishing, spam, social engineering, gathering more personal information from other sources, and using personal information for credential stuffing attacks,” the team said.
Moreover, attackers are fully aware of how Firebase works and could use it to their advantage by setting up scrapers – automated programs that continuously request new data from the same resource, download and store responses from the resource.
iOS apps’ secrets revealed
Customer details are not the only thing that Sleep Journey: Insomnia Helper exposed. Numerous app secrets on the client side of the application were revealed, including keys and IDs:
- API Key
- Client ID
- Database URL
- Google App ID
- Project ID
- Reversed Client ID
- Storage Bucket
Leaking app secrets pose severe security risks, as attackers can leverage them to gain high-level access to user devices. At least in theory, malicious actors could bypass authentication systems and access sensitive customer data as well as manipulate services without being detected.
Compromised Google App IDs or Project IDs could allow attackers to exploit third-party services, charging the company for data usage. Meanwhile, storage bucket credentials are particularly dangerous as they could allow attackers to access data-filled repositories.
“This information could be abused by malicious actors for phishing, spam, social engineering, gathering more personal information from other sources, and using personal information for credential stuffing attacks,”
the team said.
Apple apps leak secrets
The Cybernews research team has recently discovered numerous apps with devastating security issues. For example, a number of BDSM, LGBTQ+, and sugar dating apps have been found exposing users' private images, with some of them even leaking photos shared in private messages.
The recent leak was uncovered during a large-scale investigation – Cybernews researchers downloaded 156,000 iOS apps, around 8% of all apps on the App Store, discovering that developers leave plaintext credentials in the application code accessible to anyone.
The findings revealed that 71% of the analyzed apps leak at least one secret, with an average app's code exposing 5.2 secrets.
How to fix leaky apps?
Researchers believe that to effectively mitigate the issue, it’s best to focus on Firebase instances and hardcoded secrets separately. To fix Firebase-related issues, the team advised to:
- Make use of appropriate Firebase security rules in order to make sure only authorized and authenticated users and services can access stored data.
“The Firebase instance used by the app was exposed and publicly accessible, allowing threat actors to connect to the database and 'scrape' it in real-time, gaining access to information about any actions made by their users, including access to customer details,” our researchers said.
Meanwhile, to prevent apps’ secrets from falling into the wrong hands, the team advised to:
- Remove sensitive Secrets from the client side of the application and place them on the server side, proxying traffic through your own infrastructure to third-party services used by the app.
“Hardcoded secrets allow threat actors to enumerate infrastructure used by the app. If any authentication secrets are present, it may also allow threat actors to abuse the affected services in order to harvest user data or use the services for their own, unauthorized purposes,” the team explained.
- Leak discovered: January 7th, 2025
- Initial disclosure: January 15th, 2025
- CERT contacted: February 11th, 2025
Your email address will not be published. Required fields are markedmarked