Google Play is full of apps that are marketed at couples and parents who want to spy on their loved ones. As Forbes has previously detailed, those same apps are often used in abusive relationships and installed by the abuser on the victim’s phone without the latter knowing. But it turns out a large number of them contain some basic but shocking vulnerabilities that could allow anyone to login and spy on phones running the software.
In the most worrisome example, an app called Couple Vow exposed 1.7 million user passwords, completely unprotected and in plain text. Anyone who had access to an account wouldn’t just have all the location, text and call data of whoever was being tracked, but all content sent through the app’s messaging feature. A separate vulnerability in the app’s database meant hackers (thankfully benevolent ones in this case) could grab all 1.7 million users’ data in tranches of information. In some cases that included nude images.
The leak was uncovered by researchers from the Germany-based Fraunhofer Institute for Secure Information Technology, who are delivering their findings at the DEF CON hacking convention in Las Vegas on Saturday. Their talk is bluntly titled “All Your Family Secrets Belong To Us—Worrisome Security Issues In Tracker Apps.”
Couple Vow’s weaknesses were rudimentary to say the least. In one case, all the researchers had to do was request the data from the app server, using what’s known as a GET request. There was no need to enter a username or password. And all user logins were left completely unencrypted, readable to anyone with an internet connection. “You do not even have to attack the server. A single GET request gets you allt the data as there was no authetnicatcaion at all,” SIT security researcher Siegfried Rasthofer told Forbes.
Another vulnerability in the app allowed the researchers to draw out images, nine at a time. When they tried to see if their own image was accessible by exploiting the loophole, they found other photos coming through, including a nude. (The researchers didn’t actually download anyone else’s images; they were only previews stored in the browser, the cache of which was swiftly deleted.)
The developers of Couple Vow did not respond to multiple requests for comment.
Another 18 tracker apps with millions of users were also probed by Rasthofer and his colleagues Stephan Huber and Steven Arzt over the course of last year. All contained weaknesses that could be exploited to access accounts, including login bypasses and unprotected communications.
Consumer spyware companies have been hacked by less well intentioned hackers over the last year. Thai firm FlexiSpy and American company Retina-X were reportedly compromised last year.
Google 'slow to respond'
Some app developers responded to Rasthofer’s warnings, but many remain online and vulnerable, incuding Couple Vow.
And he was critical of Google’s response to his team’s disclosure. “The communication with Google was not awesome,” he said. “It was slow and we had to push them. ... It didn’t directly affect Google—this is maybe the reason.” He said Google removed a handful of the apps from the Play store, but some were left up.
Google hadn’t responded to a request for comment at the time of publication.