Secret comms in danger as Second Phone Number iOS app leaks user texts

Posted on by esimantiras

Secret comms in danger as Second Phone Number iOS app leaks user texts

source: cybernews.com  |  image: pexels.com

 

A virtual phone number iOS app with millions of downloads in the US has exposed its users’ data, including messages, media, and sender and recipient details.

While there are many reasons to have a virtual phone number, privacy is the most common. This is not lost on Second Phone Number app creators, as its App Store description starts with “Need a second phone number for private calls and texts?”

However, users expecting privacy are in for a surprise. The Cybernews research team has found that the popular iPhone app’s misconfigured Firebase instance exposed user details likely not meant for the outside world.

“Some users used the app for dating, others to conduct business. Skilled attackers would have ample data to blackmail the app users who used it for personal purposes,” Aras Nazarovas, Information security researcher at Cybernews, observed.

Despite multiple attempts to reach the apps’ creators, the exposed Firebase instance continues to leak user details. We have tried to contact them for comment and will update the article once we receive a reply.

Why is the Second Phone Number leak a problem?

Since the App Store doesn’t provide information on how many users downloaded a certain app, it’s unclear how many people could be impacted by the leak. However, third-party estimates show that Second Phone Number could be downloaded nearly four million times, with over three million in the US alone.

According to our team, when the exposed Firebase instance was discovered, over 700 SMS messages, including sender and recipient phone numbers, as well as recipient names set by the app user, were revealed.

However, the true scope of the leak could be far greater. For one, Firebase serves as a temporary database, which means that the actual number of data stored by the service could be much higher. Attackers are fully aware of how Firebase works and could use it to their advantage.

“Some users used the app for dating, others to conduct business. Skilled attackers would have ample data to blackmail the app users who used it for personal purposes,”

Nazarovas observed.

The team believes that malicious actors could use scrapers – automated programs that continuously request new data from the same resource – and download and store the responses.

“Threat actors can set up these scrapers to constantly download sensitive data from the Firebase instance and gain real-time access to new data such as sent messages,” Nazarovas explained.

Most importantly, the exposed data is likely worth the effort for cybercrooks. For one, some users likely used the app to add a layer of anonymity to their communications. This is suggestive of their sensitivity.

Meanwhile, other users utilized Second Phone Number for secure business-to-customer communications. The team believes attackers could utilize available details for account hijacking, gaining essential shipping information.

iOS app secrets revealed

Sensitive user details weren’t the only thing that the apps’ leaky Firebase instance exposed. Numerous app secrets on the client side of the application were exposed, including keys and IDs:

  • API Key
  • Client ID
  • Database URL
  • Google App ID
  • Project ID
  • Reversed Client ID
  • Storage Bucket
  • GAD Application Identifier

Embedding sensitive information like API Keys, client IDs, and other information is a major security lapse, as threat actors can relatively easily extract information using basic tools. In essence, app developers allow nefarious actors to access protected resources and abuse API services.

However, Secret Phone Number is one among many iOS apps leaking app secrets. The Cybernews research team has recently discovered numerous apps with devastating security issues. For example,numerous BDSM, LGBTQ+, and sugar dating apps have been found exposing users’ private images, with some of them even leaking photos shared in private messages.

In other cases, our researchers discovered that apps meant to track family members or secretly store sensitive data were leaking troves of sensitive data.

The recent leak was uncovered during a large-scale investigation – Cybernews researchers downloaded 156,000 iOS apps, around 8% of all apps on the Apple Store, discovering that developers leave plaintext credentials in the application code accessible to anyone.

The findings revealed that 71% of the apps analyzed leak at least one secret, with an average app’s code exposing 5.2 secrets.

How do you fix leaky apps?

Researchers believe that to effectively mitigate the issue, it’s best to focus on Firebase instances and hardcoded secrets separately. To fix Firebase-related issues, the team advised to:

  • Use appropriate Firebase security rules to ensure that only authorized and authenticated users and services can access the data stored within.

“The Firebase instance used by the app was exposed and publicly accessible, allowing threat actors to connect to the database and scrape it in real-time, gaining access to information about any actions made by their users, including access to customer support communications and user-supplied AI prompts,” our researchers said.

Meanwhile, to prevent apps’ secrets from falling into the wrong hands, the team advises to:

  • Remove sensitive Secrets from the client side of the application and place them on the server side of the application, proxying traffic through your own infrastructure to third-party services used by the app.

“Hardcoded secrets allow threat actors to enumerate infrastructure used by the app, if any authentication secrets are present, it may also allow threat actors to abuse the affected services in order to harvest user data or use the services for their own, unauthorized purposes,” Nazarovas explained.