iOS sleep app leaked sensitive user information

An iPhone app designed to combat insomnia, Sleep Journey: Insomnia Helper, exposed tens of thousands of users, revealing their names, alcohol habits, and other private data.

Stress is hardly a cure for insomnia. Meanwhile, an iOS app meant to help users fall asleep could become a headache instead. The Cybernews research team discovered that Sleep Journey: Insomnia Helper exposed numerous users.

Since Apple’s App Store doesn’t disclose how many times a certain app has been downloaded, the exact number of installations remains unknown. However, third parties estimate that the app has been downloaded over 30,000 times.

iOS sleep app leaked sensitive user information

What is known is that the app's owners left a misconfigured Firebase server, exposing personal details of over 25,000 people. The true scope of the leak could be far greater, as the Firebase serves as a temporary database, which means the actual amount of data stored by the service could be much higher.

"The app aims to help people with health and quality of life; however, due to security misconfigurations, it may inadvertently achieve the opposite, as the app leaks personal information, personally identifiable information, and health information that could be abused by threat actors," researchers said.

Moreover, attackers could set up data scrapers—automated programs that continuously request new data from the same resource, download, and store responses from the resource.

The app is sold by Cyprus-registered company Fitsia Holdings Limited. Cybernews reached out to them for comment and will update the article once a reply is received.

Top 20 leaked secrets in iOS apps

What data the iOS app exposed

According to the researchers, the misconfigured Firebase instance held a trove of personal user details such as:

• Names
• Email addresses
• Dates of birth
• Gender
• Sleeping data
• Habits, such as alcohol and nicotine consumption
• Before sleep activities
• Medication use
   

Leaking personal data alongside health information is lucrative for cybercriminals, as it allows them to develop targeted attacks using the most sensitive personal details related to individuals' well-being.

"This information could be abused by malicious actors for phishing, spam, social engineering, gathering more personal information from other sources, and using personal information for credential stuffing attacks," the team said.

Attackers are fully aware of how Firebase works and could use it to their advantage by setting up scrapers to harvest data in real time.

iOS apps’ secrets revealed

Customer details were not the only sensitive information Sleep Journey: Insomnia Helper exposed. Numerous app secrets embedded on the client side of the application were also revealed, including:

• API Key
• Client ID
• Database URL
• Google App ID
• Project ID
• Reversed Client ID
• Storage Bucket
   

Leaking app secrets poses serious security risks. Attackers can exploit these credentials to gain high-level access to user devices. Theoretically, this could enable them to bypass authentication systems, access sensitive customer data, or manipulate services without detection.

Compromised Google App IDs or Project IDs could let attackers exploit third-party services, potentially charging the company for data usage. Storage bucket credentials are particularly dangerous as they could grant access to data-filled repositories.

"This information could be abused by malicious actors for phishing, spam, social engineering, gathering more personal information from other sources, and using personal information for credential stuffing attacks," the team said again.

iOS Secrets: Proof of Concept

Apple apps leak secrets

The Cybernews research team has recently uncovered numerous apps with severe security vulnerabilities. Several BDSM, LGBTQ+, and sugar dating apps were found leaking users' private images, including photos shared in private messages.

This recent leak was found during a large-scale investigation in which researchers downloaded 156,000 iOS apps, about 8% of all apps on the App Store. They discovered that developers frequently leave plaintext credentials in app code, accessible to anyone.

The findings showed that 71% of the analyzed apps leak at least one secret, with each app exposing an average of 5.2 secrets in its code.

Cybernews example-secret

How to fix leaky apps

Researchers advise focusing on Firebase instances and hardcoded secrets separately to address the issue effectively.

To fix Firebase-related issues, developers should:

• Implement appropriate Firebase security rules to ensure only authorized and authenticated users and services can access stored data.
   

"The Firebase instance used by the app was exposed and publicly accessible, allowing threat actors to connect to the database and 'scrape' it in real-time, gaining access to information about any actions made by their users, including access to customer details,"
researchers said.

To prevent app secrets from being exposed, developers should:

• Remove sensitive secrets from the client side and place them on the server side.
• Proxy traffic through their own infrastructure to third-party services used by the app.
   

"Hardcoded secrets allow threat actors to enumerate infrastructure used by the app. If any authentication secrets are present, it may also allow threat actors to abuse the affected services in order to harvest user data or use the services for their own, unauthorized purposes," the team explained.

• Leak Discovered: January 7th, 2025
• Initial Disclosure: January 15th, 2025
• CERT Contacted: February 11th, 2025