Android game with 1m downloads leaked users’ private messages

Popular mobile role-playing game (RPG) Tap Busters: Bounty Hunters spilled sensitive user data.

The research by Cybernews has discovered that the Tap Busters: Bounty Hunters app had left their database open to the public, allegedly exposing users’ private conversations for at least five months.

Also, app developers had sensitive data hardcoded into the client side of the app, making it vulnerable to further data leaks.

Tap Busters: Bounty Hunters is an idle RPG game with more than one million downloads on Google Play Store and a 4.5-star rating based on more than 45,000 reviews. In the game, players take on the role of bounty hunters trying to become masters of the galaxy. They defeat villains and collect loot as they travel through different alien realms. Idle game mechanics mean that players can progress in-game without constant input.


Researchers discovered that Tap Busters: Bounty Hunters leaked data through unprotected access to Firebase, Google’s mobile application development platform that provides cloud-hosted database services. Anyone could have accessed the database in the meantime.

The 349MB-strong unprotected dataset contained user ids, usernames, timestamps, and private messages. If the data leaked had not been backed up and a malicious actor had chosen to delete it, it is possible that the user’s private messages would have been permanently lost without the possibility of recovery.

Along with an open Firebase instance, the developers left some sensitive information, commonly known as secrets, hardcoded in the application’s client side. The keys found were: fir ebase_database_url, gcm_defaultSenderId, default_web_client_id, google_api_key, google_app_id, google_crash_reporting_api_key, google_storage_bucket.

Hardcoding sensitive data into the client side of an Android app is unsafe, as in most cases, it can be easily accessed through reverse engineering.

No response

The game’s developer is Tilting Point, which owns several other successful games with a large player community. Some of these games have over five million downloads. The app developer was informed of the data spill but failed to close public access to the database.

The app developers…