Five Million Downloads OyeTalk Android App Leaks Private User Conversations
The App Stored Unencrypted Chats on an Unsecured Database.
Cyber researchers warn OyeTalk users that the app`s database exposed their private data and conversations to data leakage. The database admins did not use a password to secure it, so all the data was open to the public.
OyeTalk is a voice-chat app that is available in over 100 countries and has five million downloads on Google Play Store. Its 21.000 reviewers rated it 4.1 stars, out of 5.
What`s at Risk
The data leakage happened due to unsecured access to Firebase, Google’s platform that offers cloud-hosted database services for app developers.
The leakage exposed over 500MB of users` data. Developers left unencrypted chats, usernames, and cellphone International Mobile Equipment Identity (IMEI) numbers open to the public.
IMEI number is a unique identifier assigned to all factory-built mobile phones, tablets, and other devices with cellular connection capabilities, such as smartwatches. Using IMEI, law enforcement and threat actors can identify a device and the legal owner of the device. Spilling IMEI numbers on every message sent is a vast privacy intrusion, as the message is permanently associated with a specific device and its owner at the time.
This is all good news for hackers, who could easily exploit the data spillage and ask for ransom.
OyeTalk developers also hardcoded sensitive information in the application’s client side, like Google API key and links to Google storage buckets. This is an unsafe practice that exposes the app to reverse engineering. In many cases, threat actors leveraged this kind of mistake to steal data.
OyeTalk`s Reaction to Researcher`s Warning
Although researchers noticed OyeTalk`s developers about the data leakage, they didn`t stop access to the database. Because the spillage got too big, Google’s security measures eventually closed it off.
Unfortunately, OyeTalk is not the only app on the Google Play store that is vulnerable to data leakage. After analyzing over 33,000 Android apps, researchers discovered that health and fitness, education, tools, lifestyle, and business apps were the most poorly secured.
Results showed that over 14,000 apps had Firebase URLs on their front end. Out of these, more than 600 were links to open instances. This means that by examining the public information on an app and applying reverse engineering, a malicious actor could gain access to a database and, potentially, user data.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.