iOS Sleep app has leaked sensitive user information

An iPhone app to combat insomnia, sleeping trip: insomnia helpers, exposed tens of thousands of users who unveil their names, alcohol habits and other private data.

Stress is hardly a cure for insomnia. In the meantime, an iOS app that is supposed to help users should be a headache could become a headache. The cybernews research team discovered this sleeping trip: Insomnia helper unveiled numerous users.

Since Apple's app store does not announce how often a certain app has been downloaded, the exact number of installations is unknown. However, third parties estimate that the app has been downloaded over 30,000 times.

iOS Sleep app has leaked sensitive user information

It is known that the owners of the app left a false -configured Firebase server and reveals personal details of over 25,000 people. The true scope of the leak could be far greater, since the Firebase serves as a temporary database, which means that the actual amount of data stored by the service could be much higher.

“The app aims to help people with health and quality of life. Due to misunderstandings by the security administration, this can accidentally achieve the opposite, since the app goes through personal information, personally identifiable information and health information that could be misused by threat actors,” said the researchers.

In addition, attackers could set up data scraps – automatic programs that continuously request new data from the same resources, download and save answers from the resource.

The app is sold by Cyprus-Registed companies Fitsia Holdings Limited. Cybernews has turned to a comment and updated the article as soon as an answer has been received.

Top 20 seeded secrets in iOS apps

What data the iOS -app exposed

According to the researchers, the false -configured Firebase instance contained a lot of personal user details such as:

• Names
• E -mail addresses
• Dates of birth
• Gender
• Sleeping data
• Habits such as alcohol and nicotine consumption
• Before sleeping activities
• Medication
  

The expiry of personal data in addition to health information is lucrative for cybercriminals, since you can develop targeted attacks with the most sensitive personal details in connection with the well -being of people.

“This information could be misused by malicious actors for phishing, spam, social engineering, collected personal information from other sources and the use of personal information for registration information,” said the team.

The attackers are fully aware of how Firebase works and could use them for their advantage by setting up scrapers to harvest data in real time.

Secrets of the iOS apps reveal

Customer details were not the only sensitive information about the sleeping trip: insomnia helpers exposed. Numerous app secrets were also unveiled, including:

• API key
• Client -id
• Database -URL
• Google App ID
• Project ID
• Reverse client -id
• Retiner
  

The laughter of App Secrets represents serious security risks. Attackers can take advantage of these login information in order to gain access to user devices on a high level. In theory, this could enable them to avoid authentication systems, access sensitive customer data or manipulate services without recognition.

With endangered Google app IDs or project IDs, attackers can take advantage of third-party services and may calculate the company for data use. Storage bucket registration information is particularly dangerous because you can grant access to data-filled repository.

“This information could be misused by malicious actors for phishing, spam, social engineering, collected personal information from other sources and the use of personal information for registration information,” said the team again.

Apple apps lick secrets

The cybernews research team recently uncovered numerous apps with serious security gaps. Several BDSM, LGBTQ + -and Sugar dating apps were leaked as private images of the users, including photos that were divided into private messages.

This most recent leak was found during a large-scale examination in which researchers downloaded 156,000 iOS apps, about 8% of all apps in the App Store. They found that developers often leave plain text login information in the app code that is accessible to everyone.

The results showed that 71% of the apps analyzed expired at least one secret, with each app reveals an average of 5.2 secrets in its code.

Cybernew's sample secret

This is how you fix leaky apps

Researchers advise to concentrate separately on Firebase instances and hard -coded secrets in order to effectively tackle the problem.

In order to fix Firebase-related problems, developers should:

• Implement suitable Firebase security rules to ensure that only authorized and authenticated users and services can access stored data.
  

“The Firebase instance used by the app was exposed and publicly accessible, so that threat actors establish a connection to the database and scrape it off in real time and receive access to information about all actions carried out by its users, including access to customer details.”
Researchers said.

In order to prevent app secrets from being exposed, developers should:

• Remove sensitive secrets from the client side and place them on the server side.
• Proxy transport via their own infrastructure to the service of third -party providers used by the app.
  

“Hard -encoded secrets enable threat actors that the app listed by the app. If there are authentication secrets, threat actors can also abuse the affected services in order to harvest user data or use the services for their own unauthorized purposes,” said the team.

• Leck discovered: January 7, 2025
• First disclosure: January 15, 2025
• Cert Contiteded: February 11, 2025