Skip to main content
Automated Firebase security testing for Android applications. Scans APKs for Firebase misconfigurations across authentication, databases, storage, and cloud functions. Author: Nick Sellier
For authorized security research only. Only scan applications you have explicit authorization to test.

Installation

/plugin install trailofbits/skills/plugins/firebase-apk-scanner

Prerequisites

Install required dependencies before use: 
brew install apktool curl jq binutils

When to Use

Use this plugin when you need to:
  • Audit Android applications for Firebase misconfigurations
  • Test Firebase endpoints extracted from APKs (Realtime Database, Firestore, Storage)
  • Check authentication security (open signup, anonymous auth, email enumeration)
  • Enumerate Cloud Functions and test for unauthenticated access
  • Perform mobile app security assessments involving Firebase backends

When NOT to Use

Do NOT use this plugin when:
  • Scanning apps you do not have explicit authorization to test
  • Testing production Firebase projects without written permission
  • You only need to extract Firebase config without testing (use manual grep/strings instead)
  • For non-Android targets (iOS, web apps) - this skill is APK-specific
  • When the target app does not use Firebase

Commands

/scan-apk

Scan Android APKs for Firebase security misconfigurations. 
/scan-apk <apk-file-or-directory>
apk-file-or-directory
string
required
Path to a single .apk file or directory containing multiple APKs

How It Works

1

Decompile APK

Uses apktool to decompile the Android application
2

Extract Firebase Config

Searches 7+ sources for Firebase configuration:
  • google-services.json
  • XML resources
  • Assets directory
  • Smali code
  • DEX binary strings
  • React Native bundles
  • Flutter assets
3

Test Endpoints

Automatically tests discovered Firebase services for vulnerabilities
4

Generate Report

Creates detailed reports with findings and remediation guidance
5

Cleanup

Removes test data created during the scan

Vulnerability Categories

The scanner tests 14 distinct vulnerability categories across 6 Firebase services:
Open Signup
Critical
Tests if unauthenticated users can create accounts
Anonymous Auth
High
Checks if anonymous authentication is enabled
Email Enumeration
Medium
Tests for user enumeration via email addresses
Unauthenticated Read
Critical
Tests if database can be read without authentication
Unauthenticated Write
Critical
Tests if database can be written without authentication
Auth Token Bypass
High
Checks if authenticated users can access all data
Document Access
Critical
Tests document-level permissions
Collection Enumeration
High
Checks if collections can be enumerated
Bucket Listing
Critical
Tests if storage bucket contents can be listed
Unauthenticated Upload
High
Checks if files can be uploaded without authentication
Unauthenticated Access
Medium
Tests if functions can be called without authentication
Function Enumeration
Low
Checks if functions can be discovered
Public Parameter Exposure
Medium
Tests if remote config parameters are publicly accessible

Key Features

Multi-Framework Support

Supports native Android, React Native, Flutter, and Cordova apps

Comprehensive Extraction

Extracts config from 7+ sources including raw DEX binary strings

14 Vulnerability Tests

Tests authentication, databases, storage, functions, and remote config

Automatic Cleanup

Removes test data created during scans

Usage Examples

/scan-apk ./myapp.apk

Output Reports

The scanner generates comprehensive reports:

Text Report

Human-readable findings with:
  • Vulnerability descriptions
  • Severity ratings
  • Affected endpoints
  • Remediation guidance

JSON Report

Machine-readable output for integration with other tools: 
{
  "scan_timestamp": "2026-03-04T10:30:00Z",
  "apk_file": "myapp.apk",
  "vulnerabilities": [
    {
      "category": "Realtime Database",
      "severity": "Critical",
      "finding": "Unauthenticated read access",
      "endpoint": "https://myapp.firebaseio.com/",
      "recommendation": "Implement security rules"
    }
  ],
  "total_vulnerabilities": 5
}

Common Findings

Severity: CriticalDescription: The Firebase Realtime Database allows unauthenticated read access to data.Remediation:
{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}
Severity: CriticalDescription: Firebase Storage bucket allows public file listing and download.Remediation:
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;
    }
  }
}
Severity: HighDescription: Anonymous authentication is enabled, potentially allowing abuse.Remediation:
  • Disable anonymous auth if not needed
  • Implement rate limiting
  • Add additional access controls beyond authentication
Severity: MediumDescription: Cloud Functions can be invoked without authentication.Remediation:
exports.myFunction = functions.https.onCall((data, context) => {
  if (!context.auth) {
    throw new functions.https.HttpsError(
      'unauthenticated',
      'User must be authenticated'
    );
  }
  // Function logic
});

Tested Endpoints

The scanner tests the following Firebase services:
1

Authentication

  • Email/password signup
  • Anonymous authentication
  • Email enumeration
2

Realtime Database

  • Read operations
  • Write operations
  • Auth token bypass attempts
3

Firestore

  • Document access
  • Collection listing
  • Query operations
4

Storage

  • Bucket listing
  • File download
  • File upload
5

Cloud Functions

  • Common function names
  • Unauthenticated invocation
  • Function enumeration
6

Remote Config

  • Parameter exposure
  • Config fetching

Common Cloud Functions Tested

The scanner automatically tests these common function names:
  • Authentication: login, logout, register, signup, authenticate, verify
  • User Management: createUser, deleteUser, updateUser, getUser, getUsers
  • Data Operations: getData, setData, syncData, backup, restore
  • File Operations: uploadFile, getFile, export, import
  • Notifications: sendNotification, sendEmail, notify, push
  • Payment: processPayment, createOrder, getOrders
  • API: webhook, callback, api, admin
  • Monitoring: debug, test, healthcheck, status, analytics

Best Practices

Always obtain written authorization before scanning any application
Clearly define the scope of testing with the application owner
Coordinate testing to avoid production impact
Document all findings with screenshots and reproduction steps
Follow responsible disclosure practices when reporting vulnerabilities
Run scans against staging/test environments first to verify the scanner works correctly before testing production applications.
The scanner creates test data in Firebase during scans. While it attempts to clean up automatically, verify that test data is removed after scanning.

Limitations

  • Platform-specific: Only works with Android APKs
  • Firebase-only: Does not test other backend services
  • Configuration extraction: May not find obfuscated or encrypted Firebase configs
  • Dynamic analysis: Does not include runtime monitoring or traffic interception

Security Considerations

This tool performs active security testing which may:
  • Create accounts in Firebase Authentication
  • Write test data to databases
  • Upload test files to storage buckets
  • Invoke cloud functions
Always ensure you have authorization and understand the impact of testing.

Output Directory Structure

firebase_scan_20260304_103000/
├── decompiled/              # Decompiled APK contents
│   └── myapp/
├── results/                 # Individual finding details
│   ├── auth_findings.txt
│   ├── database_findings.txt
│   └── storage_findings.txt
├── scan_report.txt          # Human-readable report
└── scan_report.json         # Machine-readable report

Integration with Other Tools

The JSON output can be integrated with:
  • Security information and event management (SIEM) systems
  • Continuous integration/continuous deployment (CI/CD) pipelines
  • Vulnerability management platforms
  • Custom reporting dashboards
import json

with open('firebase_scan_*/scan_report.json') as f:
    report = json.load(f)
    
critical_vulns = [
    v for v in report['vulnerabilities']
    if v['severity'] == 'Critical'
]

print(f"Found {len(critical_vulns)} critical vulnerabilities")