Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaw In Truecaller Android App Exposes Data of Millions of Users (softpedia.com)

Posted by msmash on from the vulnerable-app,-exposable-data dept.

An anonymous reader writes about a newly found vulnerability in Truecaller: Security researchers have found a flaw in Truecaller, a popular service that indexes phone numbers and helps users block spammers and telemarketers. An article on Softpedia explains the vulnerability, "When users first install the Android app, they are prompted to enter their phone number, email address, and other personal details. This information is verified by phone call or SMS message. Upon opening the app for the second time, no login screens are shown. In a proof-of-concept code shared with Softpedia, researchers were able to retrieve personal details for other users based on an IMEI code just by interacting with the app's servers. The servers exposed data such as the user's Truecaller account name, his gender, email address, profile image, home address, and whatever else was stored in his profile. Additionally, the IMEI code also allowed the researchers to modify account settings."

51 comments

  1. Don't worry by Anonymous Coward · · Score: 0

    Please do not worry, all these kinds of bugs will be patched before the Internet of Things is released.

    A hacker's dream come true.

  2. Feasible but how useful is it? by Z00L00K · · Score: 4, Insightful

    It's feasible, but how useful is it? You can of course loop through IMEI codes, but not every phone have registered so it will be some time before you get matching info.

    But otherwise I agree - it's a weakness that should be protected better. It also highlights that too many services requests too much personal information.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    1. Re:Feasible but how useful is it? by NatasRevol · · Score: 1

      You can create your own, searchable, database of everyone using TrueCaller.

      And then sell access to it.

      Or threaten people in it.

      --
      There are two types of people in the world: Those who crave closure
    2. Re:Feasible but how useful is it? by Anonymous Coward · · Score: 0

      The good thing it's they fixed it. Appreciate companies that respond to security research instead of ignoring it.

    3. Re:Feasible but how useful is it? by Yomers · · Score: 1

      Can you? IMEI is 15 decimal digits: 14 digits plus a check digit - which makes checking them one by one possible hobby for a lifetime and beyond. Not very useful, unless you are curious second hand phone dealer, or somehow got yourself a long list of IMEI numbers.

    4. Re:Feasible but how useful is it? by NatasRevol · · Score: 1

      Yes. You search by name, not IMEI. That's just the primary key.

      Perhaps you should go back & read the second to last sentence in TFS.

      --
      There are two types of people in the world: Those who crave closure
    5. Re:Feasible but how useful is it? by edtice1559 · · Score: 1

      Uh I think you could write a script for this which would be a hobby for a day.

    6. Re:Feasible but how useful is it? by Yomers · · Score: 1
      Hmm, nope, what they say is that you need correct IMEI to get access to the data - quote:

      The researcher found that Truecaller uses devices’ IMEI as the only identity label of its users. Meaning that anyone gaining the IMEI of a device will be able to...

      No IMEI - no honey.

      I'm not saying it's perfectly OK - you could think of many possible situations when this could be used to get access to personal data. Like if some phone manufacturers assign IMEI sequentially. But in real world it's unlikely that this 'vulnerability' will ever be used for fun or profit. Anyway, it would not be terribly difficult to additionally protect this database by security token stored on the phone.

    7. Re:Feasible but how useful is it? by Yomers · · Score: 1

      Deviously clever, anyway 14 digits is something about 100 trillion, in scientific terms that's more that 100 million LoC (Libraries of Congress). What would be your script brute forcing speed, approximately? Because if it'll be less then about 4 LoCs per second - running this script would be a lifetime affair.

    8. Re:Feasible but how useful is it? by kybred · · Score: 1

      Deviously clever, anyway 14 digits is something about 100 trillion, in scientific terms that's more that 100 million LoC (Libraries of Congress). What would be your script brute forcing speed, approximately? Because if it'll be less then about 4 LoCs per second - running this script would be a lifetime affair.

      But only 6 of those digits are the device serial number, the rest are the manufacturer and model. So if you just want to try the most popular manf and models you have a much smaller search space.
      Wiki IMEI page

    9. Re:Feasible but how useful is it? by Yomers · · Score: 1
      You are right, it's a mere million per phone model! Million guesses should be easily doable in couple of days, if there are no limit of queries per IP. And it might be still open -

      Although the flaw has been fixed in the latest version, the majority of the users are still in danger as they have not got access to the new release yet. The CM Security Research Lab advises Truecaller users to upgrade this app to the latest version as soon as possible.

      It sounds like they still allow access by IMEI only, at least for accounts that did not update client software yet.

    10. Re:Feasible but how useful is it? by NatasRevol · · Score: 1

      So, you don't know how to iterate numbers to pull out ALLthe IMEI numbers?

      Geez....

      --
      There are two types of people in the world: Those who crave closure
  3. There is a lesson here... by mi · · Score: 1

    In addition to the usual lessons to app-developers, there is a lesson for users. Do not allow "apps" to know more, than what is required for them to fulfill the purpose you installed them for. And if they insist on such things (like access to your photographs), then do not install them.

    With things like "true caller" it is bad enough that they know, who calls you — but they have a legitimate need to know. They do not need to know you, however.

    --
    In Soviet Washington the swamp drains you.
    1. Re:There is a lesson here... by bluefoxlucid · · Score: 2

      True Caller is the dialer app on some phones. On other phones, you can replace the default dialer with True Caller. Good luck getting rid of default True Caller; the dialer app isn't in the Android store. You could install another third-party dialer app that sniffs all your dialed numbers.

      --
      Support my political activism on Patreon.
    2. Re:There is a lesson here... by fustakrakich · · Score: 2

      it is bad enough that they know, who calls you — but they have a legitimate need to know.

      They do? Who's "they"? The KGB?

      --
      “He’s not deformed, he’s just drunk!”
    3. Re:There is a lesson here... by NatasRevol · · Score: 1

      Anyone pulling out all the IMEI info & creating their own databases.

      --
      There are two types of people in the world: Those who crave closure
    4. Re:There is a lesson here... by Bob+the+Super+Hamste · · Score: 1
      I was thinking:

      Yes Tommy, before ze Germans get here

      --
      Time to offend someone
    5. Re:There is a lesson here... by mi · · Score: 1

      it is bad enough that they know, who calls you

      They do? Who's "they"? The KGB?

      Makers of the TrueCaller application. Hope, this helped.

      --
      In Soviet Washington the swamp drains you.
    6. Re:There is a lesson here... by fustakrakich · · Score: 1

      You didn't explain why they are entitled....

      --
      “He’s not deformed, he’s just drunk!”
    7. Re:There is a lesson here... by mi · · Score: 1

      You didn't explain why they are entitled....

      You never asked. And now the rest of the audience is gone and I don't feel particularly charitable towards someone, who planned to devise his own "unbreakable" phone just a short while ago in another thread.

      So I'll leave it as an exercise for you. What is the program promising to do, that might justify its accessing of the user's incoming calls?

      --
      In Soviet Washington the swamp drains you.
    8. Re:There is a lesson here... by fustakrakich · · Score: 1

      Ah, typical KGB :-) Still the Ruskie! Please, go home...

      --
      “He’s not deformed, he’s just drunk!”
  4. Very useful app for minimizing spam calls by schwit1 · · Score: 1

    But the first thing to do is disable its access to your contacts.

    1. Re:Very useful app for minimizing spam calls by omnichad · · Score: 1

      At first glance, it would seem like a smart way to create a crowd-sourced whitelist. On the other hand, if you've ever created a contact with a silent ringer to block calls from junk callers, you've just broken part of the whitelist.

    2. Re:Very useful app for minimizing spam calls by mrops · · Score: 1

      Does this app crowd source their user base's contact list?

      That would suck. I don't want my number and name in some central database. Its bad if Joe the group's goof installs and the app siphons my number off his contact list.

    3. Re:Very useful app for minimizing spam calls by pdhenry · · Score: 1

      Yes, that's where it get its data. There's a link that is supposed to let you opt out: http://www.truecaller.com/unli...

  5. Unfortunately... by KingSkippus · · Score: 4, Insightful

    Unfortunately, it has become such common practice to request "kitchen sink" permissions that it's nigh impossible to find useful apps that don't do so. And the sad fact is that users have become so jaded to it that the money that app makers lose from people who value privacy is less than the money they make from people just clicking through on ever "OK" button they see to get their new shiny.

    I wish I had an answer to this problem, but I don't. People are stupid, and there's not much you can do to fix that. Unfortunately, that means that people like you and I who do care about our privacy pay the price.

    1. Re:Unfortunately... by tlhIngan · · Score: 1

      Unfortunately, it has become such common practice to request "kitchen sink" permissions that it's nigh impossible to find useful apps that don't do so. And the sad fact is that users have become so jaded to it that the money that app makers lose from people who value privacy is less than the money they make from people just clicking through on ever "OK" button they see to get their new shiny.

      It stems from two problems.

      First, the permissions weren't granular enough and common tasks and notifications end up requiring permissions that are potentially scary. Stuff like "Phone state" seems scary, but a practical reason is so a media player can pause playback when you get a phone call. Or pause if you attempt to make a phone call so the audio doesn't drown out the other side of the conversation.

      Of course, if an app asks for you rcontacts, that's because the advertising component of it wants to rape your phone's personal information. It's a sad fact that the vast majority of Android users don't pay for apps, requiring the use of ads to pay for it.

    2. Re:Unfortunately... by JustAnotherOldGuy · · Score: 1

      Unfortunately, it has become such common practice to request "kitchen sink" permissions that it's nigh impossible to find useful apps that don't do so.

      ^^^THIS.

      100% agreed....I recently wanted to install a compass on my phone, mostly to play with but also because it could conceivably be useful someday. And it wanted access to my photos, contact list, battery stats, bluetooth service, audio settings, "read frame buffer", SMS, calendar, voicemail and a bunch of other shit I can't even recall....for a compass app.

      Why in the world would a compass need access to my photos, voicemail, calendar and contact list?

      In the end, I didn't install it. Unfortunately Android doesn't allow fine-grained permissions. (Yes, I know about CyanogenMod, but it's not available for my phone.)

      Oh well, no compass for me.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    3. Re:Unfortunately... by unrtst · · Score: 1

      It stems from two problems.

      Nope, not those.
      There's a fairly easy solution to these issues, and there are cyanogenmod / rooted apps that have been available for a long time so it's technically a done deal. Allow the user to control which permissions it allows for each app, and allow the setting of stand in values.

      For example, if an app requires GPS, the user could select "nope... just feed the app these coordinates instead: ___". Similar for a contact list, let the user supply an empty or preset or limited list of contacts.

      The existing apps do not solve the problem because not everyone has that ability. However, if that control were standard, then those making the apps would be encouraged to provide more honest information about the required permissions, and to limit them from the start so they get good data.

      As it is today, for most users, it's an either/or situation. You can either accept the apps requested permissions and use it, or you don't get to use it at all. That's stupid.

    4. Re:Unfortunately... by Nonesuch · · Score: 2

      There's a fairly easy solution to these issues, and there are cyanogenmod / rooted apps that have been available for a long time so it's technically a done deal. Allow the user to control which permissions it allows for each app,

      Fixed in Android 6.0 Marshmallow, this release provides a granular per-app permissions management UI, allowing revocation of permissions from any app.

      --

      I do not deploy Linux. Ever.
    5. Re:Unfortunately... by edtice1559 · · Score: 1

      I believe that this has, from a technical standpoint, largely been solved. In both iOS and Android (for the past two years or so), you can install an app without giving it all of the required permissions. But the defect here doesn't seem to be related to client device settings at all. Rather, they seem to have servers that use the IMEA for identification, authentication, and authorization as if presenting the IMEI were the same as a client-side certificate. And worse, they have no counter measures against brute force. They need to add a client-specific token if they want to maintain login.

    6. Re:Unfortunately... by NatasRevol · · Score: 1

      Yay. 2.3% of Android phones are covered.

      https://developer.android.com/...

      --
      There are two types of people in the world: Those who crave closure
    7. Re:Unfortunately... by Anonymous Coward · · Score: 0

      There is a reason event driven programming is so useful on multitasking OS's. The OS provides a System.lostfocus() handle and you use that to pause or whatever you want your app to do. Lostfocus() could extend to LostAudioFocus(), LostVisualFocus(), etc. The idea of asking permissions to additionally know the phone state just seems to lul the user into a state where granting permissions that would other wise be alarming are now acceptable. Now people grant permissions en masse, like granting access to your call logs and other profile info when an arbitrage service from the OS using hash tables would be better for privacy.

    8. Re:Unfortunately... by Aighearach · · Score: 1

      I have no trouble finding useful apps, I just have less trouble trying out sucky apps.

      Maybe apps that ask for more than they need are full of sloppiness or sleaziness?

      I probably have a lot less apps installed than you, but that doesn't guarantee I get less utility from my device.

      There is an answer, and you seem to miss it; there is no need for everybody to have a clue. It can be done on an individual basis, and is effective.

      You giving out your personal details doesn't give out mine. I'm not "paying the price," I'm turning down the crap.

    9. Re:Unfortunately... by Aighearach · · Score: 1

      Stuff like "Phone state" seems scary, but a practical reason is so a media player can pause playback when you get a phone call.

      This may vary by OS, but on Android there are different volume settings for media and for the phone, and even when I'm using an IP-phone app it can mute the other media on its own. There is no need for all the other apps that can play sound to be given access to your phone status for that.

      That is the sort of horseshit that so many users just gobble up.

      No, look, they're going to be lying to you. The question isn't, "is there a plausible excuse for having asked for it," the question is, "is it actually necessary for the main purpose of the app?"

    10. Re:Unfortunately... by BronsCon · · Score: 1

      It's not like iOS had it from day one, either. In fact, iOS doesn't tell you up-front what permissions an app wants during install; it makes you wait for the app to request them before you find out, so you can't even decide which app to install based on permissions, you have to trial-and-error that shit.

      And, now that Android does have this feature, and still provides an up-front listing of requested permissions...

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    11. Re:Unfortunately... by KGIII · · Score: 1

      I'll be headed back home in the next few weeks. I've got a real compass. I have several. They've even got the sights on them so you can shoot your azimuth accurately. They're the flip-up clam-shell type of compasses, the only kind to have. I even have some that have a base with right angles so that you can stick 'em on top of a map and use the scale.

      'Cause, if you want a compass - I've got a compass. I'll gift you one. Hell, somewhere in my boxes of stuff I have a bunch of them that fell off a truck when we were delivering supplies to the OCS part of Quantico. (It is amazing how much stuff falls off those trucks.) I'm positive that I've got a bunch of those left. I doubt anyone's stolen them, nobody knows how to use them.

      --
      "So long and thanks for all the fish."
    12. Re:Unfortunately... by JustAnotherOldGuy · · Score: 1

      Thanks. I have several real ones myself, I just wanted to play with a virtual one on my phone and compare it to the physical ones I've got to see how accurate it was.

      But since the compass app appears to want access to my entire life story including my birth certificate and a stool sample, I'll just have to make do with the old-fashioned real-world version. :)

      --
      Just cruising through this digital world at 33 1/3 rpm...
    13. Re:Unfortunately... by KGIII · · Score: 1

      F-droid might have something.

      --
      "So long and thanks for all the fish."
  6. Data harvesting... by QuietLagoon · · Score: 1

    Why was gender, home address, etc, stored on the servers? It appears that the apps was harvesting far more data than was needed to perform its core function.

    1. Re: Data harvesting... by Anonymous Coward · · Score: 0

      They store that information so they can sell it. Probably too telemarketing companies and direct mail campaigns. This is why you always enter bogus info on sites that should not require such information.

    2. Re: Data harvesting... by Anonymous Coward · · Score: 0

      He's right. Many companies to this. If the app has no ads, it probably spies on you and sells to people that show ads.

    3. Re: Data harvesting... by Aighearach · · Score: 1

      No, that is why I stop and go somewhere else when asked for private information.

  7. Design Flaw, not security by Anonymous Coward · · Score: 1

    Basically, this app is using the device IMEI as the login and password. Whoever thought this was a good idea lacks basic security principles.

  8. Haven't people learned... by downright · · Score: 0

    Apps are hastily written and thrown by the dozen against the wall to see what sticks... they are the crappiest of the crap of all things internet and apps have not yet begun to leak you data,lose your privacy and compromise your devices... If you like using new trendy apps then expect to get a privacy VD.
       

  9. Re:App appers who apped apps get apped! by Aighearach · · Score: 1

    If the app can, the app will. Does the app have your personal details? Then you don't have personal details, you replaced them with public details.

    Does the app need to know your phone id and call status? Like, is the app a phone dialer, or not? No? Is it asking for that? Why would they ask for that? Would you give that out to a stranger on the sidewalk? Who you at least have a physical description of? Then why give it out to a strange computer, that is who knows where doing who knows what?

    Come on, people... don't give out your phone number in order to track spam numbers... that is exactly the opposite direction than the information should be flowing there.

  10. Re:App appers who apped apps get apped! by Flavianoep · · Score: 1

    I installed that app once, but gave up because of the amount of personal data it asked, which I found unreasonable. Reading /. comments has made me somewhat paranoid, albeit not paranoid enough. Anyway, all this trouble with Truecaller could be avoided with a built-in caller blocker.

    --
    Linux is for people who don't mind RTFM.
  11. Asimov be damned. by Anonymous Coward · · Score: 0

    We need more apps and less robots. My computer is a slave and it should mind its duties rather than be mouthing off about personal details.

  12. Re:App appers who apped apps get apped! by Aighearach · · Score: 1

    I'm "paranoid" (or maybe I've just been around the block) enough that I mostly stick to F-Droid apps, and if it asks for more permissions than I want I just download the source, remove the permissions I don't like, and comment out any code that tries to use the errant permission.

    Maybe 5% of the time they're even using for it something worthwhile... at times they're even going to the bother to store the phone id in the app's database (which is just a sqlite file) when they don't have internet permissions. But there is no way to differentiate between incompetent handling of my data, and future plans of adding internet permissions and misusing it.

    A lot of the time I'm turning off all the internet access, because I'm not using any sort of social media data sharing with the app, and that is the only reason it asks for it. I really prefer to have my mobile apps load their data in advance in most cases, or talk directly to another computer over bluetooth instead of a routeable network.

  13. Hash by manu0601 · · Score: 1

    It would have been so easy to generate a local secret and use it as an identifier instead of the IMEI...