Research: 19 people-tracking apps contain leaks

As part of the Def Con security conference, researchers from Germany’s Fraunhofer have presented the results of research into 19 apps for tracking children or a partner. One of the apps leaked the unencrypted data of 1.7 million users.

The researchers, Siegfried Rasthofer and Stephan Huber, found a total of 37 vulnerabilities in the 19 different apps. These are free Android apps with which parents can, for example, follow their children or partners can track each other. The most popular app they surveyed was Couple Tracker with 5-10 million downloads. During their presentation, they said that they probably could have found more leaks, but at some point they stopped looking. They reported their findings to app developers and to Google. Ultimately, 12 of the 19 apps were removed from the Play Store, although Google did not immediately respond to their notifications.

The most serious leaks occurred at the backend servers of several apps. In one case, the researchers had access to the unencrypted data of 1.7 million users, including email addresses and passwords, via SQL injection. In another case, a misconfigured Firebase server gave up all of its contents when the researchers made a request without providing a user ID. Using sql injection on yet another backend, photos of all users could be viewed, including nude photos. The images were not stored separately for each user.

Among the less severe vulnerabilities were things like client-side rather than server-side authorization and storing a preprogrammed key in the app itself. Also, apps did not always use an encrypted connection to the server, making information easy to intercept. In addition, the apps usually offer an option to forward the location of users. Therefore, in some cases, real-time user tracking was also one of the possibilities the researchers discovered. This was one of the examples they showed using a demo. They detailed their findings on their website.

The apps viewed by the researchers