A popular Android barcode scanner app has some worrying cybersecurity flaws

Barcode being scanned
(Image credit: Caspar Benson via Getty Images)

A popular barcode-scanning app for Android carried a severe vulnerability that allowed anyone easy access to a database full of sensitive data, as long as they knew where to look. 

This is according to Cybernews report on the flaw in the Barcode to Sheet app, which allows ecommerce users to scan a barcode on an item and generate data in a format readable by different spreadsheet apps. 

It has more than 100,000 downloads on the Google Play Store, and an average rating of 4.5/5, making it relatively popular and trusted.

Different use cases, all dangerous

The data generated with the scanner went to a Firebase database which, the researchers said, was unprotected. It contained more than 360MB of data, including information about products, reports, emails, user IDs, and user passwords. Some of the information was stored in plaintext, while passwords were stored in the MD5 hash format. MD5 is all but deprecated, as it’s a broken hash algorithm and can be unlocked with basic programming knowledge.

But that’s not all, as the database also contained sensitive data on the application’s client side, with access keys and IDs alongside web client IDs, Google API keys, Google app ID, crash reporting keys, and more.

“The leaked data is sensitive. Not only did it include the application’s secrets, stored on the client side of the app, but enterprise and user information as well, including users’ passwords,” the Cybernews team said.

This means the data could be used in a number of different attacks, ranging from simple phishing attacks to identity theft, ransomware deployment, and more. Even the competition can use the data to understand their business landscape, identify their strength and weaknesses, and ultimately gain an unfair advantage. 

“Competitors can use the data for intellectual property espionage. One way to do that would be analyzing user preferences and checking what type of goods the company that was using the app has in stock,” the Cybernews team said.

The app’s developers are said to be working on a solution, and TechRadar Pro has contacted them for comment.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.