Firebase Apk Scanner

Firebase APK Scanner is a community skill for analyzing Android APK files to detect Firebase configuration details, covering manifest parsing, google-services extraction, database URL detection, storage bucket identification, and security misconfiguration assessment for mobile application auditing.

What Is This?

Overview

Firebase APK Scanner provides patterns for extracting and analyzing Firebase configuration data embedded in Android application packages. It covers APK decompilation and resource extraction for accessing configuration files, AndroidManifest parsing to identify declared Firebase services and API keys, google-services.json reconstruction from embedded resource values, Realtime Database and Firestore URL extraction for verifying access control rules, and Cloud Storage bucket identification for checking public accessibility. The skill enables security auditors to assess whether Firebase resources in published Android applications are properly secured against unauthorized access.

Who Should Use This

This skill serves mobile security auditors reviewing Android applications for Firebase misconfigurations, development teams verifying that production APKs do not expose insecure Firebase endpoints, and penetration testers assessing Firebase security rules during authorized tests.

Why Use It?

Problems It Solves

Firebase configuration data embedded in APKs can reveal database URLs, storage buckets, and API keys that may be improperly secured. Manually decompiling APKs and searching for Firebase strings is time-consuming and error-prone. Identifying which Firebase services an application uses requires parsing multiple configuration sources. Verifying whether discovered endpoints have proper security rules needs structured testing workflows.

Core Highlights

APK decompiler extracts resources and configuration files from Android packages. Config parser identifies Firebase project IDs, API keys, and service URLs. Database scanner tests Realtime Database endpoints for open read and write access. Storage checker verifies Cloud Storage bucket permissions against public access.

How to Use It?

Basic Usage

import zipfile
import xml.etree.ElementTree as ET
import re
import os

class APKExtractor:
    def __init__(self, apk_path: str):
        self.apk_path = apk_path
        self.extract_dir = apk_path + "_extracted"

    def extract(self) -> str:
        os.makedirs(
            self.extract_dir, exist_ok=True)
        with zipfile.ZipFile(
                self.apk_path) as z:
            z.extractall(self.extract_dir)
        return self.extract_dir

    def find_firebase_strings(
            self) -> dict:
        patterns = {
            "database_url": re.compile(
                r"https://[\w-]+"
                r"\.firebaseio\.com"),
            "storage_bucket": re.compile(
                r"[\w-]+\.appspot\.com"),
            "project_id": re.compile(
                r"firebase-project-id[\":\s]+"
                r"([\w-]+)"),
            "api_key": re.compile(
                r"AIza[\w-]{35}")}
        found = {}
        for root, _, files in os.walk(
                self.extract_dir):
            for fname in files:
                path = os.path.join(
                    root, fname)
                try:
                    with open(path, "r",
                              errors="ignore"
                              ) as f:
                        content = f.read()
                    for key, pat in (
                            patterns.items()):
                        matches = pat.findall(
                            content)
                        if matches:
                            found.setdefault(
                                key, []).extend(
                                matches)
                except (IOError, UnicodeError):
                    continue
        return found

Real-World Examples

import requests

class FirebaseSecurityChecker:
    def check_database(
            self, db_url: str) -> dict:
        test_url = f"{db_url}/.json"
        response = requests.get(test_url)
        return {
            "url": db_url,
            "status": response.status_code,
            "readable":
                response.status_code == 200,
            "message":
                "Database is publicly readable"
                if response.status_code == 200
                else "Access denied"}

    def check_storage(
            self, bucket: str) -> dict:
        url = ("https://firebasestorage"
               ".googleapis.com/v0/b/"
               f"{bucket}/o")
        response = requests.get(url)
        return {
            "bucket": bucket,
            "listable":
                response.status_code == 200,
            "items": len(response.json()
                .get("items", []))
                if response.status_code == 200
                else 0}

    def full_audit(
            self, config: dict) -> list:
        findings = []
        for url in config.get(
                "database_url", []):
            result = self.check_database(url)
            if result["readable"]:
                findings.append(result)
        for bucket in config.get(
                "storage_bucket", []):
            result = self.check_storage(bucket)
            if result["listable"]:
                findings.append(result)
        return findings

checker = FirebaseSecurityChecker()
result = checker.check_database(
    "https://example-app.firebaseio.com")
print(f"Readable: {result['readable']}")

Advanced Tips

Use jadx or apktool for full decompilation when zipfile extraction does not reveal all embedded strings. Search DEX bytecode directly for hardcoded Firebase configuration values that are not stored in resource files. Cross-reference discovered project IDs with public Firebase hosting URLs to map the full attack surface.

When to Use It?

Use Cases

Build an automated APK scanning pipeline that extracts Firebase configuration from app store downloads during security assessments. Create a pre-release audit tool that verifies Firebase security rules before publishing new app versions. Implement a monitoring service that periodically checks production Firebase endpoints for accidental rule changes that expose data.

Related Topics

Mobile application security, Android reverse engineering, Firebase security rules, cloud misconfiguration detection, and APK analysis.

Important Notes

Requirements

Python with zipfile and requests libraries for APK extraction and endpoint testing. Authorized access to the target APK files for security assessments. Network access to Firebase endpoints for security rule verification.

Usage Recommendations

Do: only scan APKs with proper authorization from the application owner for legitimate security testing. Report discovered misconfigurations through responsible disclosure processes. Document all findings with remediation steps for fixing insecure Firebase rules.

Don't: access or download data from Firebase databases without explicit authorization even if rules are misconfigured. Share discovered API keys or database URLs outside the security assessment scope. Assume that a publicly readable database is intentional without verifying with the development team.

Limitations

Obfuscated APKs may hide Firebase configuration strings that simple pattern matching cannot detect. Firebase security rules can change between scan time and report delivery. Some Firebase services use server-side authentication that cannot be tested from extracted client configuration alone.