Popular iPhone call recording app left recordings unsecured on the web
Security researchers have identified an iPhone application that allowed malicious threat actors to listen in on users’ private call recordings, potentially exposing sensitive information.
PingSafe AI’s Anand Prakash discovered the vulnerability in a free app called Automatic call recorder, offered for free on the App Store for iPhone.
According to PingSafe, the app was a popular choice for iPhone users, ranking #15 in the App Store’s business category downloads list worldwide.
However, the app comes with a major vulnerability within its API, which enabled attackers to put another user’s numbers in the recordings request. The API then provides the storage bucket link with no authentication needed and also provides a user’s call history.
PingSafe decompiled the IPA file and determined the relevant S3 buckets, host names, as well as sensitive details used by the application.
The company states, “The vulnerability allowed any malicious actor to listen to any user's call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim's data.”
With the help of PingSafe and TechCrunch’s Zach Whittaker, Anand Prakash followed responsible disclosure and submitted the vulnerability to the app developer. The developer, listed as Arun Nair, has since patched the vulnerability and a new version is available on the App Store.
“Security issues like this are catastrophic in nature. Along with impacting customer's privacy, these also dents the company's image and provides added advantage to the competitors,” PingSafe comments.
Users of the Automatic call recorder app should make sure to update their app immediately, or they could face a potential security beach - particularly because PingSafe published exact steps to reproduce the vulnerability within its blog.
ESET cybersecurity specialist Jake Moore says, “After making sure that you have downloaded an app from official app stores, you would have to assume that it is protected and safe from standard vulnerabilities and privacy.”
“However, data can have a tendency to leak if the application hasn’t been properly tested, causing privacy and data breach issues. If users have divulged sensitive information in such calls that involve financial data, it would be a good idea to consider changing any details that are easy to change.”
PingSafe states that it uses a “State of the art intelligent risk evaluation engine to monitors the security health of a company comprehensively by assessing all domains, IPs, mobile applications, sources codes and leaked credentials."