Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy IOS Security

A Bug in a Popular iPhone App Exposed Thousands of Call Recordings (techcrunch.com) 33

A security vulnerability in a popular iPhone call recording app exposed thousands of users' recorded conversations. From a report: The flaw was discovered by Anand Prakash, a security researcher and founder of PingSafe AI, who found that the aptly named Call Recorder app allowed anyone to access the call recordings from other users -- by knowing their phone number. But using a readily available proxy tool like Burp Suite, Prakash could view and modify the network traffic going in and out of the app. That meant he could replace his phone number registered with the app with the phone number of another app user, and access their recordings on his phone. TechCrunch verified Prakash's findings using a spare phone with a dedicated account. The app stores its user's call recordings on a cloud storage bucket hosted on Amazon Web Services. Although the public was open and lists the files inside, the files could not be accessed or downloaded. The bucket was closed by press time.
This discussion has been archived. No new comments can be posted.

A Bug in a Popular iPhone App Exposed Thousands of Call Recordings

Comments Filter:
  • by Anonymous Coward

    Nothing to see here, move along this is not news.

  • You mean to say (Score:5, Insightful)

    by Rosco P. Coltrane ( 209368 ) on Tuesday March 09, 2021 @11:54AM (#61140722)

    Apple's intensely annoying review process when you submit an app for inclusion in the Apple Store isn't that stringent after all?

    I'm shocked. SHOCKED I tell you!

    • by dgatwood ( 11270 )

      Completely useless, like I've been saying for years. Security must be by design. Anything else is theater.

    • This is not a typical app. How are Apple supposed to review security on external, third-party servers?

      • Unfortunately it is a pretty typical app. The vast majority seem to have some external service and without a doubt many of them have stupid security holes. Apple is unlikely to be able to police this all that well.

      • Most apps connect to external, third-party servers. Usually from multiple companies.

      • Is a very typical app. Does it ask you for permission to get your phone number? Any permission granted to any app can leak information because the internet is always granted
    • Yeah, I understand you're all annoyed (and perhaps in a rush to FP, too), but don't you have a solution approach to offer? At least a hint?

      Let me stipulate that bad apps exist and bad actors are going to create apps that reflect their badness. There needs to be some way to deal with them, so...

      The approach I would favor would expose the business models to help us, the suckers, avoid the bad apps. Basically a "financial model" part of the app description. In most cases the developer could just pick from a me

      • Your idea wouldn't have helped with this app.

        Shouldn't your suggestion at least solve the problem we are actively discussing?

        • by shanen ( 462549 )

          Good point, but no, because I think that reducing the complexity of the security problem would help, and much, or perhaps most of the complexity of this problem is coming from the sheer volume of security attacks. The sheer financial attractiveness of malware is overwhelming the efforts to detect even the purest technical flaws like this one. (However, I then have to amend this reservation to say that Apple (and the google) would respond to downsizing the problem by downsizing their staff of security invest

    • Apple's intensely annoying review process

      The story is about an issue with server security, not application security. The app is not leaking stored audio, the server is.

      Is Apple supposed to review every aspect of your server? Are they supposed to drop by and examine physical security for your company as well? Is Apple supposed to try and spearphish your customer support staff to red-team you?

      • Is Apple supposed to try and spearphish your customer support staff to red-team you?

        No. That's why they could drop the security theater and stop being assholes during their fucking review process.

        Although I suspect all they care about is that you don't undercut them or bypass their silly little rules. They probably don't really give much of a shit about the user's true security, insofar as the user doesn't get mad enough to switch to Android when there's a problem.

        • Why do you think that your low ethical standards would apply to Apple?

          • Why do you think that your low ethical standards would apply to Apple?

            Apple is a public corporation which literally invented one of the world's most insidious tax dodges. They know fuck-all about ethics.

        • by ToasterMonkey ( 467067 ) on Tuesday March 09, 2021 @03:02PM (#61141644) Homepage

          Is Apple supposed to try and spearphish your customer support staff to red-team you?

          No. That's why they could drop the security theater and stop being assholes during their fucking review process.

          Although I suspect all they care about is that you don't undercut them or bypass their silly little rules. They probably don't really give much of a shit about the user's true security, insofar as the user doesn't get mad enough to switch to Android when there's a problem.

          Apple can't check 3rd party networked services for logic bugs, so they should do nothing at all. That makes as much sense as fucking a cactus.

          Is Android too hard for you, or are you salty because nobody buys the Android version of your app?

          • Apple has only really two options.

            One, force everything to go to/through Apple with no APIs which permit anything different and monitor all their activity.

            Two, occasionally distribute malware.

            There is no third option, unless it is to do all of that stuff and occasionally distribute malware anyway.

        • No. That's why they could drop the security theater and stop being assholes during their fucking review process.

          While I agree there is a lot of security theater going on in this world, Apple App Review is not one of them. While they are not incredible they do a decent job with review and weeding out obviously malevolent apps.

          But it's only realistic for them to do so much.

        • Is Apple supposed to try and spearphish your customer support staff to red-team you?
          No. That's why they could drop the security theater and stop being assholes during their fucking review process.
          Although I suspect all they care about is that you don't undercut them or bypass their silly little rules. They probably don't really give much of a shit about the user's true security, insofar as the user doesn't get mad enough to switch to Android when there's a problem.

          And with the astronomical differences in the amount of malware in Android vs. iOS/iPadOS/WatchOS/TVOS Apps, do you really think you can honestly support a position that Appleâ(TM)s App Review process is nothing but ineffectual Security Theatre?

          Right. And the Election was Stolen.

          • Do you have proof of this? My proof is that literally all the white hat hackers had to admit what they did with their apps. Then they got punished by being ejected off the app store. I add that Spybot Search and Destroy has adware and malware definitions for i devices. So what's your proof malware is low in the app store? Before you answer that, remember nobody can do a bulk scan except for Apple.
            • Do you have proof of this? My proof is that literally all the white hat hackers had to admit what they did with their apps. Then they got punished by being ejected off the app store. I add that Spybot Search and Destroy has adware and malware definitions for i devices.

              So what's your proof malware is low in the app store? Before you answer that, remember nobody can do a bulk scan except for Apple.

              What is your proof that it is high?

    • Did Steve Jobs touch you inappropriately as a young man?

    • It is very boring for me, talk to me! Write me. Maybe we will make friends ==>> http://bit.do/fNCuA [bit.do]
    • Apple's review process is more toward preventing malicious apps and providing a minimum standard for usability. So, if you downloaded a fun crossword puzzle game and it was recording your phone calls, then it would get flagged. Apple's responsibility is not 3rd party integration. Apple has improved security by all but forcing developers to use https, etc, but you can't solve bad security design in a 30 minute app review. I think the scope is fair.
      • Except a flashlight was downloaded millions of times when tethering wasn't thing on idevices. A flashlight with a DHCP server, DNS, and accessing the wifi in a very odd way. No, the review process would not find many permission overreaches.
        • True, I was oversimplifying. You can always find instances of human mistakes. This doesnâ(TM)t change my main point about review scope as it relates to 3rd party. Apple has generally lead the way when it comes to security/privacy and performance on the mobile front in my experience as a user and (sometimes frustratingly) a developer.
  • Although yes, no-one else should have been able to get at that data aside from the person who recorded it, a lot of problems would have been avoided by encrypting the audio client-size before uploading... then even if some errant server programming let people access the raw data,, you couldn't do anything with it.

    Defense in depth people!

  • Simple “Thank you” to Anand Prakash, security researcher and founder of PingSafe AI.

    Thank you for being there, chasing a clue and exposing a breach into which all Call Recorder.app users were completely pants’d.

    No thank you to Apple AppsStore and its 30% surcharge that supposedly analyses app security lapses, breaches and flawed implementations.

    • Because of course that 30% also doesn't pay for the hosting, the bandwidth, the store infrastructure, the payment fees...

      • Because of course that 30% also doesn't pay for the hosting, the bandwidth, the store infrastructure, the payment fees...

        Almost all of it is profit.

      • It does not. All that stuff costs peanuts compared to profits.

        • by tlhIngan ( 30335 )

          It does not. All that stuff costs peanuts compared to profits.

          Then release your app for free and sell ads on it. Apple takes 0% of ad revenue. And 30% of free is free, so Apple is hosting your app for free. At 99 cents, the app barely breaks even for Apple. At 1.99, then Apple can start recouping the cost of running the store. But free and 99 cent apps are the vast majority of apps out there.

  • It is either your boss, hr, telemarketers or your parents/siblings or that friend that sends an email then phones and asks if you received it.

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...