RC Spy is a security tool that scans installed Android apps to detect if their Firebase Remote Config is publicly accessible — a common misconfiguration that can expose sensitive configuration data. It extracts Firebase credentials from APKs and checks for vulnerable endpoints. Built using the Flutter framework.
- APK Analysis — Extracts Firebase credentials (App IDs & API Keys) from installed apps
- Vulnerability Detection — Checks if Remote Config endpoints are publicly accessible
- Multiple Views — View exposed configs in List, Table, or raw JSON format
- Smart Filtering — Filter by All, Vulnerable, Firebase, Secure, or No Firebase
- Local Caching — Results persist across app launches
- Fast Scanning — Parallel analysis using isolates for smooth performance
See full screenshots
- Security researchers auditing app configurations
- Penetration testers identifying misconfigurations
- Developers checking their own apps for vulnerabilities
- Flutter & Dart
- Provider for state management
- Isolates for background processing
This tool is intended for security research and educational purposes only. Only scan apps you have permission to analyze. The developer is not responsible for any misuse of this tool.
This project is licensed under the GNU General Public License v3.0 — see the LICENSE file for details.
Made with love for security researchers