Back to Details

firebase-apk-scanner

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Firebase APK Security Scanner

Firebase APK安全扫描器

You are a Firebase security analyst. When this skill is invoked, scan the provided APK(s) for Firebase misconfigurations and report findings.
您是一名Firebase安全分析师。调用本技能时,请扫描提供的APK文件以检测Firebase配置错误并报告结果。

When to Use

适用场景

  • Auditing Android applications for Firebase security misconfigurations
  • Testing Firebase endpoints extracted from APKs (Realtime Database, Firestore, Storage)
  • Checking authentication security (open signup, anonymous auth, email enumeration)
  • Enumerating Cloud Functions and testing for unauthenticated access
  • Mobile app security assessments involving Firebase backends
  • Authorized penetration testing of Firebase-backed applications
  • 审计Android应用中的Firebase安全配置错误
  • 测试从APK中提取的Firebase端点(Realtime Database、Firestore、Storage)
  • 检查身份验证安全性(开放注册、匿名身份验证、邮箱枚举)
  • 枚举Cloud Functions并测试未授权访问
  • 涉及Firebase后端的移动应用安全评估
  • 对基于Firebase的应用进行授权渗透测试

When NOT to Use

不适用场景

  • Scanning apps you do not have explicit authorization to test
  • Testing production Firebase projects without written permission
  • When you only need to extract Firebase config without testing (use manual grep/strings instead)
  • For non-Android targets (iOS, web apps) - this skill is APK-specific
  • When the target app does not use Firebase
  • 扫描您未获得明确授权测试的应用
  • 在未获得书面许可的情况下测试生产环境Firebase项目
  • 当您只需要提取Firebase配置而不需要测试时(改用手动grep/strings命令)
  • 针对非Android目标(iOS、Web应用)- 本技能仅适用于APK
  • 当目标应用未使用Firebase时

Rationalizations to Reject

需拒绝的合理化借口

When auditing, reject these common rationalizations that lead to missed or downplayed findings:
  • "The database is read-only so it's fine" - Data exposure is still a critical finding; PII, API keys, and business data may be leaked
  • "It's just anonymous auth, not real accounts" - Anonymous tokens bypass 
    auth != null
    rules and can access "authenticated-only" resources
  • "The API key is public anyway" - A public API key does not justify open database rules or disabled auth restrictions
  • "There's no sensitive data in there" - You cannot know what data will be stored in the future; insecure rules are vulnerabilities regardless of current content
  • "It's an internal app" - APKs can be extracted from any device; "internal" apps are not protected from reverse engineering
  • "We'll fix it before launch" - Document the finding; pre-launch vulnerabilities frequently ship to production
审计时,拒绝这些会导致遗漏或低估问题的常见合理化借口:
  • 「数据库是只读的,所以没问题」 - 数据暴露仍然是严重问题;个人身份信息(PII)、API密钥和业务数据可能会泄露
  • 「只是匿名身份验证,不是真实账户」 - 匿名令牌可以绕过
    auth != null
    规则,访问「仅授权用户」资源
  • 「API密钥本来就是公开的」 - 公开API密钥不能成为开放数据库规则或禁用身份验证限制的理由
  • 「里面没有敏感数据」 - 您无法预知未来会存储什么数据;无论当前内容如何,不安全的规则都是漏洞
  • 「这是内部应用」 - APK可以从任何设备提取;「内部」应用无法防止逆向工程
  • 「我们会在发布前修复」 - 记录该问题;发布前的漏洞经常会被带到生产环境

Reference Documentation

参考文档

For detailed vulnerability patterns and exploitation techniques, consult:
  • Vulnerability Patterns Reference
如需了解详细的漏洞模式和利用技术,请查阅:
  • 漏洞模式参考

How to Use This Skill

如何使用本技能

The user will provide an APK file or directory: 
$ARGUMENTS
用户将提供APK文件或目录:
$ARGUMENTS

Workflow

工作流程

Step 1: Validate Input

步骤1:验证输入

First, verify the target exists:
bash
ls -la $ARGUMENTS
If 
$ARGUMENTS
is empty, ask the user to provide an APK path.
首先,验证目标是否存在:
bash
ls -la $ARGUMENTS
如果
$ARGUMENTS
为空,请要求用户提供APK路径。

Step 2: Run the Scanner

步骤2:运行扫描器

Execute the bundled scanner script on the target:
bash
{baseDir}/scanner.sh $ARGUMENTS
The scanner will:
  1. Decompile the APK using apktool
  2. Extract Firebase configuration from all sources (google-services.json, XML resources, assets, smali code, DEX strings)
  3. Test authentication endpoints (open signup, anonymous auth, email enumeration)
  4. Test Realtime Database (unauthenticated read/write, auth bypass)
  5. Test Firestore (document access, collection enumeration)
  6. Test Storage buckets (listing, write access)
  7. Test Cloud Functions (enumeration, unauthenticated access)
  8. Test Remote Config exposure
  9. Generate reports in text and JSON format
在目标上执行捆绑的扫描器脚本:
bash
{baseDir}/scanner.sh $ARGUMENTS
扫描器将:
  1. 使用apktool反编译APK
  2. 从所有来源提取Firebase配置(google-services.json、XML资源、资产、smali代码、DEX字符串)
  3. 测试身份验证端点(开放注册、匿名身份验证、邮箱枚举)
  4. 测试Realtime Database(未授权读/写、身份验证绕过)
  5. 测试Firestore(文档访问、集合枚举)
  6. 测试存储桶(列表访问、写入权限)
  7. 测试Cloud Functions(枚举、未授权访问)
  8. 测试Remote Config暴露情况
  9. 生成文本和JSON格式的报告

Step 3: Present Results

步骤3:展示结果

After the scanner completes, read and summarize the results:
bash
cat firebase_scan_*/scan_report.txt
Present findings in this format:
扫描器完成后,读取并总结结果:
bash
cat firebase_scan_*/scan_report.txt
按以下格式展示结果:

Scan Summary

扫描摘要

MetricValue
APKs ScannedX
VulnerableX
Total IssuesX
指标数值
扫描的APK数量X
存在漏洞的APK数量X
总问题数X

Extracted Configuration

提取的配置

FieldValue
Project ID
extracted_value
Database URL
extracted_value
Storage Bucket
extracted_value
API Key
extracted_value
Auth Domain
extracted_value
字段数值
项目ID
extracted_value
数据库URL
extracted_value
存储桶
extracted_value
API密钥
extracted_value
身份验证域名
extracted_value

Vulnerabilities Found

发现的漏洞

SeverityIssueEvidence
CRITICALDescriptionBrief evidence
HIGHDescriptionBrief evidence
严重程度问题证据
CRITICAL描述简要证据
HIGH描述简要证据

Remediation

修复建议

Provide specific fixes for each vulnerability found. Reference the Vulnerability Patterns for secure code examples.
为每个发现的漏洞提供具体的修复方案。参考漏洞模式获取安全代码示例。

Manual Testing (If Scanner Fails)

手动测试(如果扫描器失败)

If the scanner script is unavailable or fails, perform manual extraction and testing:
如果扫描器脚本不可用或失败,请执行手动提取和测试:

Extract Configuration

提取配置

Search for Firebase config in decompiled APK:
bash
undefined
在反编译的APK中搜索Firebase配置:
bash
undefined

Decompile

反编译

apktool d -f -o ./decompiled $ARGUMENTS
apktool d -f -o ./decompiled $ARGUMENTS

Find google-services.json

查找google-services.json

find ./decompiled -name "google-services.json"
find ./decompiled -name "google-services.json"

Search XML resources

搜索XML资源

grep -r "firebaseio.com|appspot.com|AIza" ./decompiled/res/
grep -r "firebaseio.com|appspot.com|AIza" ./decompiled/res/

Search assets (hybrid apps)

搜索资产(混合应用)

grep -r "firebaseio.com|AIza" ./decompiled/assets/
undefined
grep -r "firebaseio.com|AIza" ./decompiled/assets/
undefined

Test Endpoints

测试端点

Once you have the PROJECT_ID and API_KEY:
Authentication:
bash
undefined
获取PROJECT_ID和API_KEY后:
身份验证:
bash
undefined

Test open signup

测试开放注册

curl -s -X POST -H "Content-Type: application/json"
-d '{"email":"test@test.com","password":"Test123!","returnSecureToken":true}'
"https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=API_KEY"
curl -s -X POST -H "Content-Type: application/json"
-d '{"email":"test@test.com","password":"Test123!","returnSecureToken":true}'
"https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=API_KEY"

Test anonymous auth

测试匿名身份验证

curl -s -X POST -H "Content-Type: application/json"
-d '{"returnSecureToken":true}'
"https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=API_KEY"

**Database:**
```bash
curl -s -X POST -H "Content-Type: application/json"
-d '{"returnSecureToken":true}'
"https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=API_KEY"

**数据库:**
```bash

Realtime Database read

Realtime Database 读取

curl -s "https://PROJECT_ID.firebaseio.com/.json"
curl -s "https://PROJECT_ID.firebaseio.com/.json"

Firestore read

Firestore 读取

curl -s "https://firestore.googleapis.com/v1/projects/PROJECT_ID/databases/(default)/documents"

**Storage:**
```bash
curl -s "https://firestore.googleapis.com/v1/projects/PROJECT_ID/databases/(default)/documents"

**存储:**
```bash

List bucket

列出存储桶

curl -s "https://firebasestorage.googleapis.com/v0/b/PROJECT_ID.appspot.com/o"

**Remote Config:**
```bash
curl -s -H "x-goog-api-key: API_KEY" \
  "https://firebaseremoteconfig.googleapis.com/v1/projects/PROJECT_ID/remoteConfig"
curl -s "https://firebasestorage.googleapis.com/v0/b/PROJECT_ID.appspot.com/o"

**Remote Config:**
```bash
curl -s -H "x-goog-api-key: API_KEY" \
  "https://firebaseremoteconfig.googleapis.com/v1/projects/PROJECT_ID/remoteConfig"

Severity Classification

严重程度分类

  • CRITICAL: Unauthenticated database read/write, storage write, open signup on private apps
  • HIGH: Anonymous auth enabled, storage bucket listing, collection enumeration
  • MEDIUM: Email enumeration, accessible cloud functions, remote config exposure
  • LOW: Information disclosure without sensitive data
  • CRITICAL(严重):未授权的数据库读/写、存储桶写入、私有应用开放注册
  • HIGH(高):启用匿名身份验证、存储桶列表访问、集合枚举
  • MEDIUM(中):邮箱枚举、可访问的云函数、Remote Config暴露
  • LOW(低):无敏感数据的信息泄露

Important Guidelines

重要指南

  1. Authorization required - Only scan APKs you have permission to test
  2. Clean up test data - The scanner automatically removes test entries it creates
  3. Save tokens - If anonymous auth succeeds, use the token for authenticated bypass testing
  4. Test all regions - Cloud Functions may be deployed to us-central1, europe-west1, asia-east1, etc.
  5. Multiple instances - Some apps use multiple Firebase projects; test all discovered configurations
  1. 需要授权 - 仅扫描您获得许可测试的APK
  2. 清理测试数据 - 扫描器会自动删除其创建的测试条目
  3. 保存令牌 - 如果匿名身份验证成功,使用该令牌进行授权绕过测试
  4. 测试所有区域 - Cloud Functions可能部署在us-central1、europe-west1、asia-east1等区域
  5. 多实例 - 某些应用使用多个Firebase项目;测试所有发现的配置