Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Android Security

Security Flaw In Truecaller Android App Exposes Data of Millions of Users (softpedia.com) 51

An anonymous reader writes about a newly found vulnerability in Truecaller: Security researchers have found a flaw in Truecaller, a popular service that indexes phone numbers and helps users block spammers and telemarketers. An article on Softpedia explains the vulnerability, "When users first install the Android app, they are prompted to enter their phone number, email address, and other personal details. This information is verified by phone call or SMS message. Upon opening the app for the second time, no login screens are shown. In a proof-of-concept code shared with Softpedia, researchers were able to retrieve personal details for other users based on an IMEI code just by interacting with the app's servers. The servers exposed data such as the user's Truecaller account name, his gender, email address, profile image, home address, and whatever else was stored in his profile. Additionally, the IMEI code also allowed the researchers to modify account settings."
This discussion has been archived. No new comments can be posted.

Security Flaw In Truecaller Android App Exposes Data of Millions of Users

Comments Filter:
  • by Z00L00K ( 682162 ) on Monday March 28, 2016 @12:11PM (#51792843) Homepage

    It's feasible, but how useful is it? You can of course loop through IMEI codes, but not every phone have registered so it will be some time before you get matching info.

    But otherwise I agree - it's a weakness that should be protected better. It also highlights that too many services requests too much personal information.

    • You can create your own, searchable, database of everyone using TrueCaller.

      And then sell access to it.

      Or threaten people in it.

      • by Yomers ( 863527 )
        Can you? IMEI is 15 decimal digits: 14 digits plus a check digit - which makes checking them one by one possible hobby for a lifetime and beyond. Not very useful, unless you are curious second hand phone dealer, or somehow got yourself a long list of IMEI numbers.
        • Yes. You search by name, not IMEI. That's just the primary key.

          Perhaps you should go back & read the second to last sentence in TFS.

          • by Yomers ( 863527 )
            Hmm, nope, what they say is that you need correct IMEI to get access to the data - quote:

            The researcher found that Truecaller uses devices’ IMEI as the only identity label of its users. Meaning that anyone gaining the IMEI of a device will be able to...

            No IMEI - no honey.

            I'm not saying it's perfectly OK - you could think of many possible situations when this could be used to get access to personal data. Like if some phone manufacturers assign IMEI sequentially. But in real world it's unlikely that this 'vulnerability' will ever be used for fun or profit. Anyway, it would not be terribly difficult to additionally protect this database by security token stored on the

        • Uh I think you could write a script for this which would be a hobby for a day.
          • by Yomers ( 863527 )
            Deviously clever, anyway 14 digits is something about 100 trillion, in scientific terms that's more that 100 million LoC (Libraries of Congress). What would be your script brute forcing speed, approximately? Because if it'll be less then about 4 LoCs per second - running this script would be a lifetime affair.
            • by kybred ( 795293 )

              Deviously clever, anyway 14 digits is something about 100 trillion, in scientific terms that's more that 100 million LoC (Libraries of Congress). What would be your script brute forcing speed, approximately? Because if it'll be less then about 4 LoCs per second - running this script would be a lifetime affair.

              But only 6 of those digits are the device serial number, the rest are the manufacturer and model. So if you just want to try the most popular manf and models you have a much smaller search space.
              Wiki IMEI page [wikipedia.org]

              • by Yomers ( 863527 )
                You are right, it's a mere million per phone model! Million guesses should be easily doable in couple of days, if there are no limit of queries per IP. And it might be still open -

                Although the flaw has been fixed in the latest version, the majority of the users are still in danger as they have not got access to the new release yet. The CM Security Research Lab advises Truecaller users to upgrade this app to the latest version as soon as possible.

                It sounds like they still allow access by IMEI only, at least for accounts that did not update client software yet.

  • In addition to the usual lessons to app-developers, there is a lesson for users. Do not allow "apps" to know more, than what is required for them to fulfill the purpose you installed them for. And if they insist on such things (like access to your photographs), then do not install them.

    With things like "true caller" it is bad enough that they know, who calls you — but they have a legitimate need to know. They do not need to know you, however.

    • Unfortunately... (Score:5, Insightful)

      by KingSkippus ( 799657 ) on Monday March 28, 2016 @12:30PM (#51793001) Homepage Journal

      Unfortunately, it has become such common practice to request "kitchen sink" permissions that it's nigh impossible to find useful apps that don't do so. And the sad fact is that users have become so jaded to it that the money that app makers lose from people who value privacy is less than the money they make from people just clicking through on ever "OK" button they see to get their new shiny.

      I wish I had an answer to this problem, but I don't. People are stupid, and there's not much you can do to fix that. Unfortunately, that means that people like you and I who do care about our privacy pay the price.

      • by tlhIngan ( 30335 )

        Unfortunately, it has become such common practice to request "kitchen sink" permissions that it's nigh impossible to find useful apps that don't do so. And the sad fact is that users have become so jaded to it that the money that app makers lose from people who value privacy is less than the money they make from people just clicking through on ever "OK" button they see to get their new shiny.

        It stems from two problems.

        First, the permissions weren't granular enough and common tasks and notifications end up r

        • by unrtst ( 777550 )

          It stems from two problems.

          Nope, not those.
          There's a fairly easy solution to these issues, and there are cyanogenmod / rooted apps that have been available for a long time so it's technically a done deal. Allow the user to control which permissions it allows for each app, and allow the setting of stand in values.

          For example, if an app requires GPS, the user could select "nope... just feed the app these coordinates instead: ___". Similar for a contact list, let the user supply an empty or preset or limited list of contacts.

          The existin

          • by Nonesuch ( 90847 )

            There's a fairly easy solution to these issues, and there are cyanogenmod / rooted apps that have been available for a long time so it's technically a done deal. Allow the user to control which permissions it allows for each app,

            Fixed in Android 6.0 Marshmallow, this release provides a granular per-app permissions management UI, allowing revocation of permissions from any app.

            • Yay. 2.3% of Android phones are covered.

              https://developer.android.com/... [android.com]

              • It's not like iOS had it from day one, either. In fact, iOS doesn't tell you up-front what permissions an app wants during install; it makes you wait for the app to request them before you find out, so you can't even decide which app to install based on permissions, you have to trial-and-error that shit.

                And, now that Android does have this feature, and still provides an up-front listing of requested permissions...
        • Stuff like "Phone state" seems scary, but a practical reason is so a media player can pause playback when you get a phone call.

          This may vary by OS, but on Android there are different volume settings for media and for the phone, and even when I'm using an IP-phone app it can mute the other media on its own. There is no need for all the other apps that can play sound to be given access to your phone status for that.

          That is the sort of horseshit that so many users just gobble up.

          No, look, they're going to be lying to you. The question isn't, "is there a plausible excuse for having asked for it," the question is, "is it actually necess

      • Unfortunately, it has become such common practice to request "kitchen sink" permissions that it's nigh impossible to find useful apps that don't do so.

        ^^^THIS.

        100% agreed....I recently wanted to install a compass on my phone, mostly to play with but also because it could conceivably be useful someday. And it wanted access to my photos, contact list, battery stats, bluetooth service, audio settings, "read frame buffer", SMS, calendar, voicemail and a bunch of other shit I can't even recall....for a compass app.

        Why in the world would a compass need access to my photos, voicemail, calendar and contact list?

        In the end, I didn't install it. Unfortunately Andro

        • by KGIII ( 973947 )

          I'll be headed back home in the next few weeks. I've got a real compass. I have several. They've even got the sights on them so you can shoot your azimuth accurately. They're the flip-up clam-shell type of compasses, the only kind to have. I even have some that have a base with right angles so that you can stick 'em on top of a map and use the scale.

          'Cause, if you want a compass - I've got a compass. I'll gift you one. Hell, somewhere in my boxes of stuff I have a bunch of them that fell off a truck when we

          • Thanks. I have several real ones myself, I just wanted to play with a virtual one on my phone and compare it to the physical ones I've got to see how accurate it was.

            But since the compass app appears to want access to my entire life story including my birth certificate and a stool sample, I'll just have to make do with the old-fashioned real-world version. :)

      • I believe that this has, from a technical standpoint, largely been solved. In both iOS and Android (for the past two years or so), you can install an app without giving it all of the required permissions. But the defect here doesn't seem to be related to client device settings at all. Rather, they seem to have servers that use the IMEA for identification, authentication, and authorization as if presenting the IMEI were the same as a client-side certificate. And worse, they have no counter measures again
      • I have no trouble finding useful apps, I just have less trouble trying out sucky apps.

        Maybe apps that ask for more than they need are full of sloppiness or sleaziness?

        I probably have a lot less apps installed than you, but that doesn't guarantee I get less utility from my device.

        There is an answer, and you seem to miss it; there is no need for everybody to have a clue. It can be done on an individual basis, and is effective.

        You giving out your personal details doesn't give out mine. I'm not "paying the pric

    • True Caller is the dialer app on some phones. On other phones, you can replace the default dialer with True Caller. Good luck getting rid of default True Caller; the dialer app isn't in the Android store. You could install another third-party dialer app that sniffs all your dialed numbers.
    • it is bad enough that they know, who calls you — but they have a legitimate need to know.

      They do? Who's "they"? The KGB?

      • Anyone pulling out all the IMEI info & creating their own databases.

      • I was thinking:

        Yes Tommy, before ze Germans get here

      • by mi ( 197448 )

        it is bad enough that they know, who calls you

        They do? Who's "they"? The KGB?

        Makers of the TrueCaller application. Hope, this helped.

        • You didn't explain why they are entitled....

          • by mi ( 197448 )

            You didn't explain why they are entitled....

            You never asked. And now the rest of the audience is gone and I don't feel particularly charitable towards someone, who planned to devise his own "unbreakable" phone just a short while ago in another thread.

            So I'll leave it as an exercise for you. What is the program [truecaller.com] promising to do, that might justify its accessing of the user's incoming calls?

  • But the first thing to do is disable its access to your contacts.
    • At first glance, it would seem like a smart way to create a crowd-sourced whitelist. On the other hand, if you've ever created a contact with a silent ringer to block calls from junk callers, you've just broken part of the whitelist.

    • by mrops ( 927562 )

      Does this app crowd source their user base's contact list?

      That would suck. I don't want my number and name in some central database. Its bad if Joe the group's goof installs and the app siphons my number off his contact list.

  • Why was gender, home address, etc, stored on the servers? It appears that the apps was harvesting far more data than was needed to perform its core function.
  • by Anonymous Coward

    Basically, this app is using the device IMEI as the login and password. Whoever thought this was a good idea lacks basic security principles.

  • It would have been so easy to generate a local secret and use it as an identifier instead of the IMEI...

If you think the system is working, ask someone who's waiting for a prompt.

Working...