Glitch in Messaging Apps May Expose Calls

November 10, 2017

A glitch in nearly 700 iOS and Android apps could expose your private messages and calls.

Appthority, a mobile threat protection firm, discovered the flaw in the development of apps often used for communications by businesses. It published a report on its findings Thursday. The firm believes up to 180 million Android users could be affected by the hack, dubbed “Eavesdropper.” An unknown number of iOS devices also are at risk.

The vulnerability comes from 685 apps that use the Twilio Rest API or SDK for communication services, such as calling and messaging. Twilio allows developers to build those messaging features into their apps. But Appthority found that some developers using these APIs erroneously hard-coded users’ credentials into their apps’ code.

“The vulnerability is called Eavesdropper because the developers have effectively given global access to the text/SMS messages, call metadata, and voice recordings from every app they’ve developed with the exposed credentials,” wrote Appthority's Michael Bentley.

Twilio is most often used in business environments and could expose a firm’s private information. Appthority found that about 33 percent of the apps in question were business-focused. One app enables sales teams to record audio and annotate discussions in real-time.

Appthority discovered the vulnerability in April and notified Twilio in July. By the end of August, the number of affected apps had dropped to 102 in the iOS App Store and 85 in Google Play. Appthority, however, did not publish a full list of apps that could still be vulnerable.

Source: “Vulnerability in Hundreds of Messaging Apps Leaves User Data Exposed,” TechSpot (Nov. 10, 2017) and “Researchers Find Hundreds of Easily-Breached Messaging Apps,” Engadget (Nov. 9, 2017)