Security Flaw In Truecaller Android App Exposes Data of Millions of Users (softpedia.com) 51
An anonymous reader writes about a newly found vulnerability in Truecaller: Security researchers have found a flaw in Truecaller, a popular service that indexes phone numbers and helps users block spammers and telemarketers. An article on Softpedia explains the vulnerability, "When users first install the Android app, they are prompted to enter their phone number, email address, and other personal details. This information is verified by phone call or SMS message. Upon opening the app for the second time, no login screens are shown. In a proof-of-concept code shared with Softpedia, researchers were able to retrieve personal details for other users based on an IMEI code just by interacting with the app's servers. The servers exposed data such as the user's Truecaller account name, his gender, email address, profile image, home address, and whatever else was stored in his profile. Additionally, the IMEI code also allowed the researchers to modify account settings."
Re: (Score:2)
If the app can, the app will. Does the app have your personal details? Then you don't have personal details, you replaced them with public details.
Does the app need to know your phone id and call status? Like, is the app a phone dialer, or not? No? Is it asking for that? Why would they ask for that? Would you give that out to a stranger on the sidewalk? Who you at least have a physical description of? Then why give it out to a strange computer, that is who knows where doing who knows what?
Come on, people...
Re: (Score:2)
Re: (Score:2)
I'm "paranoid" (or maybe I've just been around the block) enough that I mostly stick to F-Droid apps, and if it asks for more permissions than I want I just download the source, remove the permissions I don't like, and comment out any code that tries to use the errant permission.
Maybe 5% of the time they're even using for it something worthwhile... at times they're even going to the bother to store the phone id in the app's database (which is just a sqlite file) when they don't have internet permissions. Bu
Feasible but how useful is it? (Score:5, Insightful)
It's feasible, but how useful is it? You can of course loop through IMEI codes, but not every phone have registered so it will be some time before you get matching info.
But otherwise I agree - it's a weakness that should be protected better. It also highlights that too many services requests too much personal information.
Re: (Score:2)
You can create your own, searchable, database of everyone using TrueCaller.
And then sell access to it.
Or threaten people in it.
Re: (Score:2)
Re: (Score:2)
Yes. You search by name, not IMEI. That's just the primary key.
Perhaps you should go back & read the second to last sentence in TFS.
Re: (Score:2)
The researcher found that Truecaller uses devices’ IMEI as the only identity label of its users. Meaning that anyone gaining the IMEI of a device will be able to...
No IMEI - no honey.
I'm not saying it's perfectly OK - you could think of many possible situations when this could be used to get access to personal data. Like if some phone manufacturers assign IMEI sequentially. But in real world it's unlikely that this 'vulnerability' will ever be used for fun or profit. Anyway, it would not be terribly difficult to additionally protect this database by security token stored on the
Re: (Score:2)
So, you don't know how to iterate numbers to pull out ALLthe IMEI numbers?
Geez....
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Deviously clever, anyway 14 digits is something about 100 trillion, in scientific terms that's more that 100 million LoC (Libraries of Congress). What would be your script brute forcing speed, approximately? Because if it'll be less then about 4 LoCs per second - running this script would be a lifetime affair.
But only 6 of those digits are the device serial number, the rest are the manufacturer and model. So if you just want to try the most popular manf and models you have a much smaller search space.
Wiki IMEI page [wikipedia.org]
Re: (Score:2)
Although the flaw has been fixed in the latest version, the majority of the users are still in danger as they have not got access to the new release yet. The CM Security Research Lab advises Truecaller users to upgrade this app to the latest version as soon as possible.
It sounds like they still allow access by IMEI only, at least for accounts that did not update client software yet.
There is a lesson here... (Score:1)
In addition to the usual lessons to app-developers, there is a lesson for users. Do not allow "apps" to know more, than what is required for them to fulfill the purpose you installed them for. And if they insist on such things (like access to your photographs), then do not install them.
With things like "true caller" it is bad enough that they know, who calls you — but they have a legitimate need to know. They do not need to know you, however.
Unfortunately... (Score:5, Insightful)
Unfortunately, it has become such common practice to request "kitchen sink" permissions that it's nigh impossible to find useful apps that don't do so. And the sad fact is that users have become so jaded to it that the money that app makers lose from people who value privacy is less than the money they make from people just clicking through on ever "OK" button they see to get their new shiny.
I wish I had an answer to this problem, but I don't. People are stupid, and there's not much you can do to fix that. Unfortunately, that means that people like you and I who do care about our privacy pay the price.
Re: (Score:2)
It stems from two problems.
First, the permissions weren't granular enough and common tasks and notifications end up r
Re: (Score:2)
It stems from two problems.
Nope, not those.
There's a fairly easy solution to these issues, and there are cyanogenmod / rooted apps that have been available for a long time so it's technically a done deal. Allow the user to control which permissions it allows for each app, and allow the setting of stand in values.
For example, if an app requires GPS, the user could select "nope... just feed the app these coordinates instead: ___". Similar for a contact list, let the user supply an empty or preset or limited list of contacts.
The existin
Re: (Score:3)
There's a fairly easy solution to these issues, and there are cyanogenmod / rooted apps that have been available for a long time so it's technically a done deal. Allow the user to control which permissions it allows for each app,
Fixed in Android 6.0 Marshmallow, this release provides a granular per-app permissions management UI, allowing revocation of permissions from any app.
Re: (Score:2)
Yay. 2.3% of Android phones are covered.
https://developer.android.com/... [android.com]
Re: (Score:2)
And, now that Android does have this feature, and still provides an up-front listing of requested permissions...
Re: (Score:2)
Stuff like "Phone state" seems scary, but a practical reason is so a media player can pause playback when you get a phone call.
This may vary by OS, but on Android there are different volume settings for media and for the phone, and even when I'm using an IP-phone app it can mute the other media on its own. There is no need for all the other apps that can play sound to be given access to your phone status for that.
That is the sort of horseshit that so many users just gobble up.
No, look, they're going to be lying to you. The question isn't, "is there a plausible excuse for having asked for it," the question is, "is it actually necess
Re: (Score:2)
Unfortunately, it has become such common practice to request "kitchen sink" permissions that it's nigh impossible to find useful apps that don't do so.
^^^THIS.
100% agreed....I recently wanted to install a compass on my phone, mostly to play with but also because it could conceivably be useful someday. And it wanted access to my photos, contact list, battery stats, bluetooth service, audio settings, "read frame buffer", SMS, calendar, voicemail and a bunch of other shit I can't even recall....for a compass app.
Why in the world would a compass need access to my photos, voicemail, calendar and contact list?
In the end, I didn't install it. Unfortunately Andro
Re: (Score:2)
I'll be headed back home in the next few weeks. I've got a real compass. I have several. They've even got the sights on them so you can shoot your azimuth accurately. They're the flip-up clam-shell type of compasses, the only kind to have. I even have some that have a base with right angles so that you can stick 'em on top of a map and use the scale.
'Cause, if you want a compass - I've got a compass. I'll gift you one. Hell, somewhere in my boxes of stuff I have a bunch of them that fell off a truck when we
Re: (Score:2)
Thanks. I have several real ones myself, I just wanted to play with a virtual one on my phone and compare it to the physical ones I've got to see how accurate it was.
But since the compass app appears to want access to my entire life story including my birth certificate and a stool sample, I'll just have to make do with the old-fashioned real-world version. :)
Re: (Score:2)
F-droid might have something.
Re: (Score:2)
Re: (Score:2)
I have no trouble finding useful apps, I just have less trouble trying out sucky apps.
Maybe apps that ask for more than they need are full of sloppiness or sleaziness?
I probably have a lot less apps installed than you, but that doesn't guarantee I get less utility from my device.
There is an answer, and you seem to miss it; there is no need for everybody to have a clue. It can be done on an individual basis, and is effective.
You giving out your personal details doesn't give out mine. I'm not "paying the pric
Re: (Score:3)
Re: (Score:2)
it is bad enough that they know, who calls you — but they have a legitimate need to know.
They do? Who's "they"? The KGB?
Re: (Score:2)
Anyone pulling out all the IMEI info & creating their own databases.
Re: (Score:2)
Yes Tommy, before ze Germans get here
Re: (Score:1)
Makers of the TrueCaller application. Hope, this helped.
Re: (Score:1)
You didn't explain why they are entitled....
Re: (Score:1)
You never asked. And now the rest of the audience is gone and I don't feel particularly charitable towards someone, who planned to devise his own "unbreakable" phone just a short while ago in another thread.
So I'll leave it as an exercise for you. What is the program [truecaller.com] promising to do, that might justify its accessing of the user's incoming calls?
Re: (Score:1)
Ah, typical KGB :-) Still the Ruskie! Please, go home...
Very useful app for minimizing spam calls (Score:2)
Re: (Score:2)
At first glance, it would seem like a smart way to create a crowd-sourced whitelist. On the other hand, if you've ever created a contact with a silent ringer to block calls from junk callers, you've just broken part of the whitelist.
Re: (Score:2)
Does this app crowd source their user base's contact list?
That would suck. I don't want my number and name in some central database. Its bad if Joe the group's goof installs and the app siphons my number off his contact list.
Re: (Score:2)
Data harvesting... (Score:2)
Re: (Score:2)
No, that is why I stop and go somewhere else when asked for private information.
Design Flaw, not security (Score:1)
Basically, this app is using the device IMEI as the login and password. Whoever thought this was a good idea lacks basic security principles.
Hash (Score:2)