Messaging App Go SMS Pro Exposed Millions of Users' Private Photos and Files

Go SMS Pro, one of the most popular messaging apps for Android, is exposing photos, videos and other files sent privately by its users. Worse, the app maker has done nothing to fix the bug. TechCrunch reports: Security researchers at Trustwave discovered the flaw in August and contacted the app maker with a 90-day deadline to fix the issue, as is standard practice in vulnerability disclosure to allow enough time for a fix. But after the deadline elapsed without hearing back, the researchers went public. Trustwave shared its findings with TechCrunch this week.

When a Go SMS Pro user sends a photo, video or other file to someone who doesn't have the app installed, the app uploads the file to its servers, and lets the user share a web address by text message so the recipient can see the file without installing the app. But the researchers found that these web addresses were sequential. In fact, any time a file was shared -- even between app users -- a web address would be generated regardless. That meant anyone who knew about the predictable web address could have cycled through millions of different web addresses to users' files. Go SMS Pro has more than 100 million installs, according to its listing in Google Play.

It's a feature not a bug

[TuballoyThunder]

The app developer wanted to highlight that security/privacy and SMS are orthogonal.

Developers are out-to-lunch

[bobthesungeek76036]

I used to have this SMS app. It has a private box feature that I need. There was an issue that if you sent a pic to one of your private contacts, it would keep sending it over and over until you deleted the message. I tried to contact the developers multiple times but got crickets. Deleted it and now using Next SMS. Stay very far away from Go SMS Pro (far from that).

Apple iMessage is secured

[raymorris]

When you "attach" a photo (or any file) from your phone to a message on your iOS device using iMessage on both sides, it uses end-to-end encryption similar to what is used for TLS.

The sender retrieves from Apple the *public* key of the recipient. The sender uses this public key to encrypt the message. If there is an attached file, the sender generates a random AES key and uses that to encrypt the file. The encrypted file is sent to Apple's servers. The random AES key needed to decrypt the file is included

Re:

[Anonymous Brave Guy]

And then you turn on iCloud Backup and it gives your private key to Apple, compromising the entire system.

I'm not sure I'd cite Apple's systems as a good example of security right now. They're much better than some, and there are reasonable non-security arguments for working the way they do, but in terms of security and privacy they are still far from perfect and deliberately staying that way.

Re:

[raymorris]

So, the topic here was the media links in iMessage.
If you want to do a comprehensive exposition of all the security implications of all of Apple's products and services, maybe we could write a couple books together. That would be fun.

Yes, with iCloud backup, Apple gets the key and could read your files. Without iCloud backup, Apple could read all of your files. So it doesn't change what Apple can do. Remember Apple provides the OS updates. Which means if Apple wanted to read your files, they could send yo

Re:

[Anonymous Brave Guy]

Remember Apple provides the OS updates. Which means if Apple wanted to read your files, they could send you an OS update that does that.

Sure, but that would probably be illegal on multiple grounds in many Western countries now.

It would also be big news when it was inevitably discovered, which would undermine trust and might even cost them a significant amount of money if it turned in to a serious PR problem.

The user trusts the maker of the hardware and operating system.

I'm not sure that's entirely true, but in any case, iCloud isn't the hardware or the operating system. It's a remotely hosted system, and one to which parties other than Apple are known to have access.

Re:Nothing you post on the Internet is private

[Errol backfiring]

But this is not a "post on the internet" app; it is an app to send things to one specific individual. That the does this by posting the content on the net, and apparently unencrypted, is something the user would not expect.

These guys struck me as sketchy years ago

[Voyager529]

Go SMS Pro was my favorite SMS client for a while, most notably because it handled backup and restore of texts and MMS messages within the app, which was nice.

Then, one day, they changed it so that you needed to pay for local backups, but cloud backups were still free. Seemed a bit backwards to me; why was it 'free' to send my data to their servers, but saving to my own device cost money? Moreover, it was amusing that my automatic nightly backup to my SD card ran fine, but I just couldn't create a new scheduled task or run a scheduled backup.

So, I paid up; it was something like $5/yr, which seemed reasonable to me.

90 days later I wiped my phone and re-added the app (this was all back in the 2.x days when modded ROMs were frequent and more customized, so flashing was a common practice), and it acted like I didn't pay for the app.

That's when I switched to Textra + MyBackup Pro and couldn't be happier.

Re:

[fustakrakich]

Take the money and run... They're gone

Entertaining until it's me

[scybolt]

You literally can download thousands of pictures users thought were "private". Interesting.

RCS ?

[Frederic54]

Why people are not using the standard SMS application that supports RCS [wikipedia.org] (no, not Revision Control System, but Rich Communication Services).

Android app is using RCS since Android 8 I think, why install 3rd party non-compatible applications?