The Automatic Call Record app recently patched a security vulnerability which made thousands of conversations by other users viewable.
The app has a four-star rating on the Apple store, and is listed as one of the most downloaded call recording apps on iOS.
Call recording apps enable users to record telephone calls. The apps are commonly used by organisations which rely on telephone calls as the primary platform for communication.
It’s likely that the popularity of apps like Automatic Call Record spiked during last year’s initial lockdown, when most of the country spent its time working from home.
The Leak
The exploit, which was found by Anand Prakash and reported by Tech Crunch, involved using open-source intelligence to find the app’s cloud storage on Amazon.
Prakash could access the files by using a web proxy to bypass the applications network traffic, and then modify the network traffic passing through it. This allowed him to replace his phone number registered with the app with the number of any other user, and then access their data.
The API would typically run an authentication on such a request, but it didn’t, which is why Prakash could access sensitive information like call recordings and even a user’s entire call history.
Security Fix
App developer, Arun Nair patched a fix for the security flaw which was submitted to Apple over the weekend. The patch notes provided very little detail, simply stating the update was a “security fix”.
Tech Crunch attempted to contact Arun Nair, but hasn’t yet received a response. It would appear the developer would rather brush this security flaw under the rug and move forward without raising too much attention.
While it’s easy to trust applications because they are popular on storefronts like Apple and Google Play, it doesn’t always necessarily mean your data is being kept securely.