When it comes to downloading apps on your mobile device, you can never be too careful. Even if the app isn’t actively malicious, there is still a chance your data could be at risk. That seems to be the case for a very popular barcode scanner app on the Google Play store called Barcode to Sheet. According to Cybernews, the developers of the scanner app left their Firebase database, which stores data the app collects from users, open for anyone to access.
Android Barcode scanner leaks passwords
Unlike some of the fake or malicious Android apps we cover on occasion, Barcode to Sheet is a legitimate productivity app. Google Play shows that the app has been downloaded over 100,000 times and has an average review score of 4.6/5 from 3,000+ reviews.
The database in question contained over 368MB of data, some of which was stored in plaintext. The data included information about products, reports, emails, and user IDs. There were also user passwords stored in the MD5 hash format. As Cybernews notes, MD5 is not an especially secure way to store data, as it suffers from multiple vulnerabilities.
Additionally, the report claims that sensitive information was also likely stored on the application’s client-side with access keys and IDs. If they infiltrated the server, bad actors would have been able to see the web client ID, Google application programming interface (API) key, Google app ID, crash reporting key, and other details only the developers should see.
“The leaked data is sensitive,” the Cybernews team said in its report. “Not only did it include the application’s secrets, stored on the client side of the app, but enterprise and user information as well, including users’ passwords.”
Cybernews reached out to the developers of Barcode to Sheet prior to published its report. The developer says that it is working on the solution to the issue.