This iPhone app exposed thousands of users' recorded calls

News
By
published

Thousands of users' recordings at risk thanks to a vulnerability

Image Credit: Ajay Suresh | Flickr CC by 2.0
(Image credit: Image Credit: Ajay Suresh | Flickr CC by 2.0)

A security vulnerability has been discovered in a popular call recording app for the iPhone, potentially exposing the call recordings of thousands of users.

The flaw in the Automatic Call Recorder app was discovered by PingSafe AI security researcher Anand Prakash. It turns out that anyone could access recordings from other users, just as long as they knew the other users' phone numbers. 

According to Prakash, it's not as simple as entering a user's phone number and then having access to all their recorded calls. But it's not all that difficult either. Prakash accomplished it with the network-sniffing proxy tool Burp Suite. 

Widely used by security researchers, Burp Suite allowed Prakash to view and modify network traffic as it passed to and from the Automatic Call Recorder on his iPhone. It allowed  him to change the registered phone number with that of a different registered user. 

This vulnerability shows the inherent dangers of storing app data in cloud storage and failing to properly secure it, as was the case here. 

According to TechCrunch, who were able to replicate the exploit, Automatic Call recorder stores its recordings in a cloud-storage bucket hosted by Amazon Web Services. That bucket held around 130,000 recordings that took up 300 gigabytes of space.

A report last week from mobile security firm Zimperium suggests that leaky smartphone apps are far from rare. The firm found about 18,000 Android and iOS apps that hadn't set up cloud-storage databases correctly. While the apps weren’t named in that report, it does mean potentially millions of users are at risk of having their data exposed.

TechCrunch got in touch with Automatic Call Recorder’s developers, who promptly patched the exploit March 6. So there’s no need to delete all your recordings in a panic as long as you update Automatic Call Recorder to version 2.26. 

TOPICS
Tom Pritchard
Tom Pritchard
UK Phones Editor

Tom is the Tom's Guide's UK Phones Editor, tackling the latest smartphone news and vocally expressing his opinions about upcoming features or changes. It's long way from his days as editor of Gizmodo UK, when pretty much everything was on the table. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining about how terrible his Smart TV is.