Popular Android diamond game spills players’ data


Sweet Diamond Shooter game leaked a 484.66 MB–strong database of sensitive game-related user data.

The research by Cybernews has discovered that the Sweet Diamond Shooter app had sensitive data hardcoded into the client side of the app.

This means that threat actors can get their hands on Google API (application programming interface) keys, Google Storage buckets URLs, and unprotected databases and exploit that information simply by reversing and analyzing publicly available information about the app.

Sweet Diamond Shooter, with over 100,000 downloads on the Google App Store, is developed by Sweet Media Marketing. It allows users to “shoot diamonds to win real and free prizes through the points they earn.” The game’s Android developer currently has 12 apps on Google Play with over 1.5 million downloads in total.

Significance

Comprehensive Cybernews research of over 33,000 Android apps led to the discovery of more than 14,000 Firebase URLs on the front end of an Android app. Over 600 of them were links to open Firebase instances.

Sweet Diamond Shooter was one of the apps that left an open database, exposing user data.

Developers of the casual game left a 484.66 MB–strong database accessible to the public. The dataset contained users’ IP addresses, phone numbers, registration gates, emails, and other game-related information.

Upon acquiring this information, a threat actor could connect an email with a phone number and exploit the data to perform attacks against some of the two-factor authentication (2FA) implementations.

“Since the firebase was left open to public access without any authorization, a threat actor could have either edited or wiped out the data completely and, if no backups had been secured, this action could have been irreversible,” Cybernews researchers explained.

The app also leaked other sensitive hard-coded secrets, including Google Storage bucket addresses and Google API keys.

In accordance with the Cybernews responsible disclosure procedure, we informed the developer about the security issue on September 1, 2022. Unfortunately, the company failed to patch it and did not provide any comment. However, Google stepped up, and downloading this dataset is no longer possible.

Cybernews researchers discovered the dataset on August 8, 2022, and it was closed on January 9, 2023.

“A threat actor had at least four months to snoop around or download the user base’s game-related data since the Firebase was left open without any protection. Unfortunately, the developers did not answer the question of how long this instance had been available to the public nor if threat actors could use the hardcoded secrets to achieve subsequent sensitive data leakage,” Cybernews researchers pointed out.

They strongly recommend reviewing your security policies if you’ve had this app installed.

Leaky Android Apps

Sweet Diamond Shooter is one of the thousands of apps on the Google Play store vulnerable to data leaks.

When analyzing over 33,000 Android Apps, Cybernews researchers found more than 124,000 strings potentially leaking sensitive data.

Twenty-two unique types of secrets were discovered, with various API keys, open Firebase dataset URLs, and links to Google Storage buckets among the most sensitive ones.

Main statistics

We found the most hard-coded secrets in apps within these five categories: health and fitness, education, tools, lifestyle, and business.

top 10 app categories by found secrets

“Hardcoding sensitive data into the client-side of an Android app is a bad idea. In most cases, it can be easily accessed through reverse-engineering,” Cybernews research team said.