Skip to content

Releases: Icex0/OpenFirebase

v1.3.0

29 Apr 00:42
@Icex0 Icex0
v1.3.0
b4eea8a

Choose a tag to compare

View all tags
v1.3.0 Latest
Latest

What's New

Cloud Functions support

  • Extraction from APK/IPA: HTTP trigger URLs, callable function names, and non-default regions. DEX bytecode walking pairs callable getters with their string arguments; IPA extraction also scans bundled JS/HTML/JSON/.jsbundle for hybrid apps.
  • Scanning (--read-functions / -rcf): probes HTTP and callable triggers for unauth access. GCS source-bucket probing detects live regions before issuing function probes.
  • Fuzzing (--fuzz-functions <wordlist>): enumeration constrained to live regions. Bundled top-50/250/500 wordlists from firebase-wordlists.
  • Targeted probing in --project-id mode: --function-name, --function-region (or all).
  • --skip-gcs-probing: skip the Cloud Functions probe for projects with no extracted URLs/callables (speed over accuracy).

Web app (initial release)

  • A self-hostable web frontend lives in app/. Same scanning core as the CLI, with a queued worker, persisted scan history, live log streaming, multi-user auth, and inline result browsing.

Authentication

  • --google-id-token for signInWithIdp fallback when email/password is disabled.
  • Validation: --google-id-token rejects --app-dir, --resume, and multi-project inputs (token is bound to one OAuth client).

Other

  • Firebase App Check detection on UNAUTHENTICATED responses during authenticated retry.
  • Firestore collection wordlist regenerated from real public Firebase projects.
  • Cloud Functions fuzzing output now matches Firestore collection fuzzing format.

Bug Fixes

  • tool_version in scan JSONs was hard-coded to 1.0.0 while shipping as 1.2.x. Now reads from package metadata.
  • App Check status missing from file output (console had it).
  • Androguard upstream bug patched in pinned fork.
  • Various small Cloud Functions probing fixes.
Assets 2
Loading

v1.2.0

10 Apr 23:03
@Icex0 Icex0
v1.2.0
8a34308

Choose a tag to compare

View all tags
v1.2.0

What's New

This release makes extraction even faster and improves reliability and detection. 16x as fast since the first release.

  • Full rewrite of the extraction phase — up to 7x faster than previous jadx implementation
  • iOS IPA support — extract Firebase items from GoogleService-Info.plist, Mach-O binary strings, bundled service account JSONs, and hardcoded PEM keys
  • Mixed APK/IPA directory scanning with -d
  • Firestore collection and document name detection via DEX bytecode walk
  • Hardcoded PEM private key recovery from both APK (DEX) and IPA (Mach-O) binaries
  • Default process count now scales with CPU
  • Faster extraction for non-Firestore APKs — skips bytecode walk when no Firestore references exist in DEX string pool
  • Added links to FireSA and Firebase Pentest Checklist in README

Bug Fixes

  • Fixed non-deterministic extraction silently dropping APKs when scanning directories with multiple processes
  • Removed hidden 120-second timeout that discarded large APKs under concurrency
  • Eliminated triple-parsing of each APK by caching the androguard APK object across extraction stages
  • Fixed Other_Google_API_Key pattern matching short non-key strings as false positives — now enforces correct 39-character format
  • Surfaced all previously silent except Exception: pass blocks so extraction errors are visible in console output
  • PEM private keys in output file now use real newlines instead of escaped \n, matching console output
Loading

v1.1.0

07 Apr 08:38
@Icex0 Icex0
v1.1.0
4d53b95

Choose a tag to compare

View all tags
v1.1.0
  • Added API key bypasses for iOS and websites
  • Output now shows if misconfiguration is related to GCS IAM or Firebase rules both in auth and unauth mode
  • Check if storage bucket access is allowed directly via GCS even if firebase rules block it
  • Updated README.md with payloads and wordlist
  • Added check for Email enumeration protection disabled and fix parameter difference RTDB oauth token
  • Improved firestore collection wordlist and simplified write arguments
  • Fix service account scoping and determine permissons before rejecting
  • Fixed missing rtdb bug
  • Added support for service account extraction and scanning
  • Fix auth retries missing from full scan output file in combined scan
  • Fix resume-auth-file not scanning remote config
  • file output logic fixes
  • show auth projects in same order as scans
  • Fix API restriction headers not included on all projects from same APK
  • Full scan summary cleanup and added other_firebase_project_id
  • differentiate between read and write in auth results summary
  • Added jadx timeout flag and changed windows process killing method
  • Fix missing import for apksigner
  • Fixed force kill and added app_id back to auth_data file
  • Auth console output cleanup
Loading

v1.0.0

21 Sep 16:45
@Icex0 Icex0
v1.0.0
e4b62c7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.0.0

Full Changelog: https://github.com/Icex0/OpenFirebase/commits/v1.0.0

Loading