Back to Security & Vulnerability Analysis
firebase-apk-scanner
FirebaseAndroidAPKMobile SecurityApplication SecurityVulnerability ScanningPenetration TestingCloud Security
Install this skill
npx skills add trailofbits/skillsWorks across Claude Code, Cursor, Codex, Copilot & Antigravity
The firebase-apk-scanner automates the security auditing of Android applications built with Firebase backends. It functions by decompiling target APKs to extract sensitive configuration data including Project IDs, API keys, and database URLs. Beyond simple extraction, the agent actively probes Firebase components for misconfigurations such as unauthenticated access to Realtime Databases, Firestore collections, and Cloud Storage buckets. It also evaluates authentication logic, specifically checking for open signup vulnerabilities or excessive exposure through anonymous authentication flows. By identifying these security gaps before deployment, this skill provides a structured methodology for identifying potential data leakage points and authorization failures. The tool generates summarized reports that categorize findings by severity, allowing security researchers to prioritize remediation efforts based on the specific architectural flaws detected within the analyzed Android package.
When to Use This Skill
- •Conducting security assessments on Android apps during penetration tests
- •Auditing Firebase backends for unauthorized access to storage buckets
- •Verifying that developers have properly locked down Firebase production rules
- •Detecting leaked API keys or misconfigured auth domains in binary files
How to Invoke This Skill
Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:
- “Run a Firebase security audit on this APK
- “Check this Android app for Firebase misconfigurations
- “Find Firebase vulnerabilities in this APK file
- “Perform a security scan on the Firebase backend of this mobile app
- “Scan this APK for exposed Firebase databases and storage
Pro Tips
- 💡Always combine findings from this skill with manual verification and source code review for comprehensive security assessments.
- 💡Prioritize remediation of identified open Firebase databases or storage buckets, as these often represent the highest data exposure risks.
- 💡Use in conjunction with dynamic analysis tools to observe runtime interactions and confirm endpoint vulnerabilities uncovered statically by this skill.
What this skill does
- •Automatic APK decompilation and Firebase configuration extraction
- •Verification of Realtime Database and Firestore permission rules
- •Testing of Cloud Functions for unauthenticated invocation
- •Identification of insecure authentication methods like open signup
- •Generation of structured JSON and text-based vulnerability reports
When not to use it
- ✕Analyzing applications where you lack explicit legal authorization
- ✕Testing non-Android platforms such as iOS or web applications
- ✕Evaluating projects that do not use Firebase services
Example workflow
- User provides the path to an APK file
- Agent verifies the existence and accessibility of the target file
- Agent decompiles the APK and runs the automated scanner script
- Scanner interacts with identified Firebase endpoints to probe for open access
- Agent parses the generated report into a readable summary of findings
- User reviews the identified severity levels and recommended remediation steps
Prerequisites
- –Apktool installed in the environment
- –Explicit written authorization for the target application
- –Valid path to the APK file
Pitfalls & limitations
- !Cannot detect vulnerabilities in backend logic hidden from the client-side configuration
- !False positives may occur if authentication logic is handled by complex custom Cloud Functions
- !Limited effectiveness against heavily obfuscated code if decompilation is incomplete
FAQ
Does this tool work on obfuscated APKs?
Yes, it uses apktool to decompile and inspect resources. While extreme obfuscation might hinder some static analysis, it remains effective at finding configuration files and strings.
Can this scan a live website using the same Firebase project?
No, this is strictly for Android APK analysis. It relies on extracting embedded configuration files directly from the mobile application package.
Is the scan result a final security guarantee?
No, it is an automated assessment tool. Findings should be validated manually to ensure they are not false positives or configuration artifacts.
Will this tool work on iOS apps?
No, this skill is specifically optimized for Android APK structures and will not parse IPA files or iOS-specific configuration.
How it compares
Unlike manual grepping which only finds static configuration strings, this skill performs active network-based probing to confirm if those identified endpoints are actually vulnerable to unauthorized access.
📄 Full skill instructions — original source: trailofbits/skills
# Firebase APK Security Scanner
You are a Firebase security analyst. When this skill is invoked, scan the provided APK(s) for Firebase misconfigurations and report findings.
## When to Use
- Auditing Android applications for Firebase security misconfigurations
- Testing Firebase endpoints extracted from APKs (Realtime Database, Firestore, Storage)
- Checking authentication security (open signup, anonymous auth, email enumeration)
- Enumerating Cloud Functions and testing for unauthenticated access
- Mobile app security assessments involving Firebase backends
- Authorized penetration testing of Firebase-backed applications
## When NOT to Use
- Scanning apps you do not have explicit authorization to test
- Testing production Firebase projects without written permission
- When you only need to extract Firebase config without testing (use manual grep/strings instead)
- For non-Android targets (iOS, web apps) - this skill is APK-specific
- When the target app does not use Firebase
## Rationalizations to Reject
When auditing, reject these common rationalizations that lead to missed or downplayed findings:
- **"The database is read-only so it's fine"** - Data exposure is still a critical finding; PII, API keys, and business data may be leaked
- **"It's just anonymous auth, not real accounts"** - Anonymous tokens bypass
- **"The API key is public anyway"** - A public API key does not justify open database rules or disabled auth restrictions
- **"There's no sensitive data in there"** - You cannot know what data will be stored in the future; insecure rules are vulnerabilities regardless of current content
- **"It's an internal app"** - APKs can be extracted from any device; "internal" apps are not protected from reverse engineering
- **"We'll fix it before launch"** - Document the finding; pre-launch vulnerabilities frequently ship to production
## Reference Documentation
For detailed vulnerability patterns and exploitation techniques, consult:
- [Vulnerability Patterns Reference](references/vulnerabilities.md)
## How to Use This Skill
The user will provide an APK file or directory:
## Workflow
### Step 1: Validate Input
First, verify the target exists:
If
### Step 2: Run the Scanner
Execute the bundled scanner script on the target:
The scanner will:
1. Decompile the APK using apktool
2. Extract Firebase configuration from all sources (google-services.json, XML resources, assets, smali code, DEX strings)
3. Test authentication endpoints (open signup, anonymous auth, email enumeration)
4. Test Realtime Database (unauthenticated read/write, auth bypass)
5. Test Firestore (document access, collection enumeration)
6. Test Storage buckets (listing, write access)
7. Test Cloud Functions (enumeration, unauthenticated access)
8. Test Remote Config exposure
9. Generate reports in text and JSON format
### Step 3: Present Results
After the scanner completes, read and summarize the results:
Present findings in this format:
---
## Scan Summary
| Metric | Value |
|--------|-------|
| APKs Scanned | X |
| Vulnerable | X |
| Total Issues | X |
## Extracted Configuration
| Field | Value |
|-------|-------|
| Project ID |
| Database URL |
| Storage Bucket |
| API Key |
| Auth Domain |
## Vulnerabilities Found
| Severity | Issue | Evidence |
|----------|-------|----------|
| CRITICAL | Description | Brief evidence |
| HIGH | Description | Brief evidence |
## Remediation
Provide specific fixes for each vulnerability found. Reference the [Vulnerability Patterns](references/vulnerabilities.md) for secure code examples.
---
## Manual Testing (If Scanner Fails)
If the scanner script is unavailable or fails, perform manual extraction and testing:
### Extract Configuration
Search for Firebase config in decompiled APK:
### Test Endpoints
Once you have the PROJECT_ID and API_KEY:
**Authentication:**
**Database:**
**Storage:**
**Remote Config:**
## Severity Classification
- **CRITICAL**: Unauthenticated database read/write, storage write, open signup on private apps
- **HIGH**: Anonymous auth enabled, storage bucket listing, collection enumeration
- **MEDIUM**: Email enumeration, accessible cloud functions, remote config exposure
- **LOW**: Information disclosure without sensitive data
## Important Guidelines
1. **Authorization required** - Only scan APKs you have permission to test
2. **Clean up test data** - The scanner automatically removes test entries it creates
3. **Save tokens** - If anonymous auth succeeds, use the token for authenticated bypass testing
4. **Test all regions** - Cloud Functions may be deployed to us-central1, europe-west1, asia-east1, etc.
5. **Multiple instances** - Some apps use multiple Firebase projects; test all discovered configurations
You are a Firebase security analyst. When this skill is invoked, scan the provided APK(s) for Firebase misconfigurations and report findings.
## When to Use
- Auditing Android applications for Firebase security misconfigurations
- Testing Firebase endpoints extracted from APKs (Realtime Database, Firestore, Storage)
- Checking authentication security (open signup, anonymous auth, email enumeration)
- Enumerating Cloud Functions and testing for unauthenticated access
- Mobile app security assessments involving Firebase backends
- Authorized penetration testing of Firebase-backed applications
## When NOT to Use
- Scanning apps you do not have explicit authorization to test
- Testing production Firebase projects without written permission
- When you only need to extract Firebase config without testing (use manual grep/strings instead)
- For non-Android targets (iOS, web apps) - this skill is APK-specific
- When the target app does not use Firebase
## Rationalizations to Reject
When auditing, reject these common rationalizations that lead to missed or downplayed findings:
- **"The database is read-only so it's fine"** - Data exposure is still a critical finding; PII, API keys, and business data may be leaked
- **"It's just anonymous auth, not real accounts"** - Anonymous tokens bypass
auth != null rules and can access "authenticated-only" resources- **"The API key is public anyway"** - A public API key does not justify open database rules or disabled auth restrictions
- **"There's no sensitive data in there"** - You cannot know what data will be stored in the future; insecure rules are vulnerabilities regardless of current content
- **"It's an internal app"** - APKs can be extracted from any device; "internal" apps are not protected from reverse engineering
- **"We'll fix it before launch"** - Document the finding; pre-launch vulnerabilities frequently ship to production
## Reference Documentation
For detailed vulnerability patterns and exploitation techniques, consult:
- [Vulnerability Patterns Reference](references/vulnerabilities.md)
## How to Use This Skill
The user will provide an APK file or directory:
$ARGUMENTS## Workflow
### Step 1: Validate Input
First, verify the target exists:
ls -la $ARGUMENTSIf
$ARGUMENTS is empty, ask the user to provide an APK path.### Step 2: Run the Scanner
Execute the bundled scanner script on the target:
{baseDir}/scanner.sh $ARGUMENTSThe scanner will:
1. Decompile the APK using apktool
2. Extract Firebase configuration from all sources (google-services.json, XML resources, assets, smali code, DEX strings)
3. Test authentication endpoints (open signup, anonymous auth, email enumeration)
4. Test Realtime Database (unauthenticated read/write, auth bypass)
5. Test Firestore (document access, collection enumeration)
6. Test Storage buckets (listing, write access)
7. Test Cloud Functions (enumeration, unauthenticated access)
8. Test Remote Config exposure
9. Generate reports in text and JSON format
### Step 3: Present Results
After the scanner completes, read and summarize the results:
cat firebase_scan_*/scan_report.txtPresent findings in this format:
---
## Scan Summary
| Metric | Value |
|--------|-------|
| APKs Scanned | X |
| Vulnerable | X |
| Total Issues | X |
## Extracted Configuration
| Field | Value |
|-------|-------|
| Project ID |
extracted_value || Database URL |
extracted_value || Storage Bucket |
extracted_value || API Key |
extracted_value || Auth Domain |
extracted_value |## Vulnerabilities Found
| Severity | Issue | Evidence |
|----------|-------|----------|
| CRITICAL | Description | Brief evidence |
| HIGH | Description | Brief evidence |
## Remediation
Provide specific fixes for each vulnerability found. Reference the [Vulnerability Patterns](references/vulnerabilities.md) for secure code examples.
---
## Manual Testing (If Scanner Fails)
If the scanner script is unavailable or fails, perform manual extraction and testing:
### Extract Configuration
Search for Firebase config in decompiled APK:
# Decompile
apktool d -f -o ./decompiled $ARGUMENTS
# Find google-services.json
find ./decompiled -name "google-services.json"
# Search XML resources
grep -r "firebaseio.com\|appspot.com\|AIza" ./decompiled/res/
# Search assets (hybrid apps)
grep -r "firebaseio.com\|AIza" ./decompiled/assets/### Test Endpoints
Once you have the PROJECT_ID and API_KEY:
**Authentication:**
# Test open signup
curl -s -X POST -H "Content-Type: application/json" \
-d '{"email":"[email protected]","password":"Test123!","returnSecureToken":true}' \
"https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=API_KEY"
# Test anonymous auth
curl -s -X POST -H "Content-Type: application/json" \
-d '{"returnSecureToken":true}' \
"https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=API_KEY"**Database:**
# Realtime Database read
curl -s "https://PROJECT_ID.firebaseio.com/.json"
# Firestore read
curl -s "https://firestore.googleapis.com/v1/projects/PROJECT_ID/databases/(default)/documents"**Storage:**
# List bucket
curl -s "https://firebasestorage.googleapis.com/v0/b/PROJECT_ID.appspot.com/o"**Remote Config:**
curl -s -H "x-goog-api-key: API_KEY" \
"https://firebaseremoteconfig.googleapis.com/v1/projects/PROJECT_ID/remoteConfig"## Severity Classification
- **CRITICAL**: Unauthenticated database read/write, storage write, open signup on private apps
- **HIGH**: Anonymous auth enabled, storage bucket listing, collection enumeration
- **MEDIUM**: Email enumeration, accessible cloud functions, remote config exposure
- **LOW**: Information disclosure without sensitive data
## Important Guidelines
1. **Authorization required** - Only scan APKs you have permission to test
2. **Clean up test data** - The scanner automatically removes test entries it creates
3. **Save tokens** - If anonymous auth succeeds, use the token for authenticated bypass testing
4. **Test all regions** - Cloud Functions may be deployed to us-central1, europe-west1, asia-east1, etc.
5. **Multiple instances** - Some apps use multiple Firebase projects; test all discovered configurations
How to Use This Skill Unit
Option A: Project-Specific (Recommended)
- Click "Download" above
- In your project, create the directory:
.agent/skills/firebase-apk-scanner/ - Save the file as
SKILL.md - The agent will automatically discover the skill based on its description.
Option B: Global Installation (All Agents)
Save the file to these locations to make it available across all projects:
- Claude Code:
~/.claude/skills/trailofbits/skills/firebase-apk-scanner/SKILL.md - Cursor:
~/.cursor/skills/trailofbits/skills/firebase-apk-scanner/SKILL.md - Antigravity:
~/.gemini/antigravity/skills/trailofbits/skills/firebase-apk-scanner/SKILL.md
🚀 Install with CLI:npx skills add trailofbits/skills
Recommended Rules
View more rules →Android Kotlin Development
AndroidKotlinJetpack Compose
You are an expert in Android development using Kotlin and Jetpack Compose. Key Principles: - Follow Material Design guidelines - Build responsive and...
🔒 Security Audit Agent - Vulnerability Detection
Agentic AISecurityVulnerability
You are an expert security audit agent specialized in identifying vulnerabilities and security risks. Apply systematic reasoning following OWASP guide...
React Native TypeScript Expert
TypeScriptReact NativeMobile
You are an expert in React Native development with TypeScript. Key Principles: - Use TypeScript for all React Native code - Type navigation params an...
Recommended Workflows
View more workflows →Migrate Redux to Zustand
StateReduxZustand
--- description: Simplify state management --- 1. **Install Zustand**: // turbo - Run `npm install zustand` 2. **Convert Store**: ```ts ...
Setup Supabase Realtime
Real-timeSupabaseWebSocket
--- description: Real-time data sync --- 1. **Enable Realtime**: - Go to Database → Replication in Supabase. 2. **Subscribe to Changes**: ```t...
Kill Port 3000
DevOpsTerminalProcess
--- description: Instantly find and kill the process hogging your dev port --- 1. **The Best Way (Cross-Platform)**: - Kill it in one command usin...
