Location sharing apps often come with many useful features that can be used (mostly) by parents to keep track of their children, or by whole families to keep track of each other. These apps do not come with spying features - an option to install the app on a user’s device without said user’s knowledge.
On the other hand, we do have available to us blatant spying apps that come with spying features that are typically used by abusers who install these apps on to their victim’s devices. They then get access to all communications along with other details such as pictures taken, real-time location data and more. All while keeping the victim completely in the dark about what is going on.
While these two app groups serve completely different purposes, lots of them share one worrisome issue – various security vulnerabilities that allow hackers to access all kinds of data without users being aware that their private data is compromised.
The sad truth is that most location sharing apps promise a high level of security for their users, they talk of various encryption methods utilized by said apps, but the truth is completely different.
“All your family secrets belong to us – Worrisome security issues in tracker apps”
There are spying apps that offer all kinds of nefarious features and questionable levels of security. It’s truly tragic that apps offering to spy on others come with such poor security that anyone, not just the perpetrator can spy on innocent victims.
A recent study titled “All your family secrets belong to us – Worrisome security issues in tracker apps” performed by security experts Siegfried Rasthofer and Stephan Huber, both working at German-based Fraunhofer Institute for Secure Information Technology, revealed a huge amount of security vulnerabilities among 18 of the most popular location sharing and spying apps that can be found in Google Play Store. The presentation, which was presented during a recent DEF CON hacking convention held in Las Vegas, showed countless security vulnerabilities along with ways to fix them.
The apps included a couple of parent and family location sharing and tracking apps such as Family Locator, My Family GPS Tracker, and KidControll GPS Tracker, apps that offer location sharing and tracking features and are visible on each phone they are installed on. The study also includes lots of spying apps such as Couple Tracker App, Phone Tracker By Number, Couple Vow, Phone Tracker Pro, all of which can be installed on a victim’s phone without their knowledge.
Vulnerabilities are found
Researchers found 37 different vulnerabilities in total among these apps. A number of issues were found to be repeated in many different apps, some allowing attackers a way to scoop usernames, passwords, and the data of every single registered user of an app. This is the case with the app called Couple Vow, a classic spy app for couples that is used mostly by users with ill intentions who use it to spy on their partners without their knowledge. Researchers found a vulnerability that allowed them to download all 1.7 million user passwords along with other data such as call logs, messages, images (among then many nude images), and location data. Except for passwords, every single byte of sensitive data belonged to the victims, who were tracked and spied on. The main issue lay in the fact that this app kept every single user password in plain text on the app’s servers!
The other vulnerabilities exposed all kinds of security issues, we hope to show you the most drastic examples.
My Family GPS tracker app had its tracker data accessible to the public and also transmitted tracker data without any kind of encryption. The first issue affected every single version of the app, and it allowed hackers to gain location data and, in some cases, images with a simple HTTP request. The second issue showed how the app transmited all GPS location data over an unencrypted HTTP connection.
KidControl GPS Tracker App has a couple of security problems, the most drastic one being that it transferred all credentials (login, registration, signup using invitation code) via HTTP and instead of using proper encryption the app applied simple obfuscation, which presents no challenge for an ill-intended hacker. On top of all that, the app lacks encryption for registration and login communication. In other words, all communication between the app and its backend is not encrypted which is a disaster for a location sharing and tracking app to have.
The most frequent issue is called Hard-Coded Database Credentials and it allows attackers to easily gain access to all data stored on the app MySQL’s servers. This is because apps connect to their MySQL databases without a middleware in between. On top of all that, credentials for accessing the database are hardcoded inside apps meaning that by decompiling apps, hackers can get their hands on those credentials thus gaining limitless access to servers. Twelve apps out of 18 in total covered by the study suffer from this particular issue.
GPS Location Tracker App has many issues including plain text communication (all communication between backend and the app uses HTTP without any encryption) and is vulnerable to SQL injection attacks which can get access to login and GPS location data for attackers.
Next, we have GirlFriend Cell Tracker App, which has numerous security issues that allow attackers complete access to all SMS conversations and all profile pics. The app also does all traffic in plain HTTP and doesn’t employ any form of encryption.
RealTime GPS Tracker App has its PHPInfo publicly accessible but that’s not all. Data that should be encrypted such as location info is also publicly accessible. You can check out all the findings for each app by following this link.
Who is responsible?
The two-man team of Rasthofer and Huber, informed vendors of all apps with security vulnerabilities and they got worrying reactions. Most responded by asking the team “How much money do you want,” implying they thought that paying up would cover the mess, or with a prideful “It’s not a bug, it’s a feature” response, which just shows they really don’t care about their users. A few responded by notifying the team that they will fix issues but there were a lot of developers who simply didn’t respond at all.
The research shows just how poor security standards are in the field of location sharing apps. On the other hand, perhaps this just proves that spying apps (which are nefarious by default) shouldn’t be used because they don’t care at all about security and leak data like crazy. Do not use spying apps ever. Simple.
On the other hand, if you want to use location sharing and tracking apps in an effort to keep your kids safe or in order for your family to keep track of each other, be sure to use an app that offers two-way encryption. Put security before everything else - location sharing and tracking apps deal with sensitive data that should not be placed on a silver plate for everyone to have access to, which seems to be the case with most apps featured in this research.