No matter how much security an operating system might offer, the weakest link in the chain – such as a badly coded app or service, could lead to user data getting compromised. Apple’s iOS operating system has been designed with security in mind, but an application on the App Store has reportedly exposed thousands of call recordings of users who used the app on their iPhones.
Apple doesn’t allow users to record their calls, which means users are stuck with using third-party apps that allow you to call others using an internet number and then record the call from inside the app. Unfortunately, this means that these apps usually leave their recordings on a server for users to access which means they’re essentially available for people to try and exploit on the internet.
According to a report by TechCrunch, a security flaw in a generically named “CallRecorder” app on the App Store allowed anyone to gain access to another user’s personal call recordings – and all they needed was their victim’s phone number. The vulnerability was discovered by security expert Anand Prakash and the findings were then confirmed by TechCrunch using a tool to “change” the network traffic while the app communicated with the server.
Using the trick, the researcher was able to change the number on the app to any other user, after he had registered and set up the account. The app would simply allow access as if he had registered with their numbers. Prakash also found that the recordings were being stored on a “cloud storage bucket” on Amazon Web Services and had over 1.3 lakh audio recordings well over 300 gigabytes.
While the app has now been patched and an update began rolling out to users over the weekend, this incident highlights how unsafe apps can put users data at risk, even if the operating system is well designed and implements security well enough. Users must also remain cautious about which apps get access to their data, especially something as personal as recordings of their phone conversations.