Three of the most widely used photo ID mobile applications are reported to have exposed sensitive user data, stemming from misconfigured Firebase instances exacerbated by an absence of attestation – i.e., a backend infrastructure that trusted requests without properly enforcing authentication and authorization controls. Once the backend endpoint was accessible, data could be retrieved directly outside the legitimate app context.
TechRadar Pro quotes Cybernews research noting that the exposed data included personal information and backend tokens, and more than 150,000 users were impacted: Dog Breed Identifier Photo Cam has 500K downloads, with 66,182 users affected; Spider Identifier App by Photo has 500K downloads, with 40,779 users affected; and Insect identifier by Photo Cam has 1M downloads, with 45,005 users affected.
Mobile app security expert Ted Miracco, CEO of Approov, notes:
“These incidents show how mobile backend misconfigurations become breaches when APIs trust requests without verifying the app itself. Runtime app attestation and client-bound credentials can be immediately invoked and will stop attackers from exploiting exposed endpoints, even when backend controls fail. When publishers and B2C brands don’t take active steps to preventing reverse-engineered apps, scripts, or emulators from querying their backend APIs, the result is all too often a wide-open door that’s simple for greedy, data-stealing imposters to walk through.”
This highlights the fact that apps on your phone have to be completely trustworthy. It would really be nice if apps had “nutrition labels” or something like that so that you know what you are getting into. In the absence of that, I’m glad that someone is looking at this.
Like this:
Like Loading...
Related
This entry was posted on February 12, 2026 at 4:25 pm and is filed under Commentary with tags Privacy. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Three of the Top Photo ID Apps Are Leaking Users’ Data
Three of the most widely used photo ID mobile applications are reported to have exposed sensitive user data, stemming from misconfigured Firebase instances exacerbated by an absence of attestation – i.e., a backend infrastructure that trusted requests without properly enforcing authentication and authorization controls. Once the backend endpoint was accessible, data could be retrieved directly outside the legitimate app context.
TechRadar Pro quotes Cybernews research noting that the exposed data included personal information and backend tokens, and more than 150,000 users were impacted: Dog Breed Identifier Photo Cam has 500K downloads, with 66,182 users affected; Spider Identifier App by Photo has 500K downloads, with 40,779 users affected; and Insect identifier by Photo Cam has 1M downloads, with 45,005 users affected.
Mobile app security expert Ted Miracco, CEO of Approov, notes:
“These incidents show how mobile backend misconfigurations become breaches when APIs trust requests without verifying the app itself. Runtime app attestation and client-bound credentials can be immediately invoked and will stop attackers from exploiting exposed endpoints, even when backend controls fail. When publishers and B2C brands don’t take active steps to preventing reverse-engineered apps, scripts, or emulators from querying their backend APIs, the result is all too often a wide-open door that’s simple for greedy, data-stealing imposters to walk through.”
This highlights the fact that apps on your phone have to be completely trustworthy. It would really be nice if apps had “nutrition labels” or something like that so that you know what you are getting into. In the absence of that, I’m glad that someone is looking at this.
Share this:
Like this:
Related
This entry was posted on February 12, 2026 at 4:25 pm and is filed under Commentary with tags Privacy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.