One more Android app risked the security and privacy of users. This time, it the GO SMS Pro, a messaging app on Android, that exposed users’ private messages. The vulnerability potentially affected millions of users globally.
GO SMS Pro Android App Exposed Messages
Researchers from Trustwave discovered a vulnerability in the Android app GO SMS Pro that exposed users’ messages and media shared.
Specifically, the flaw existed in the way the app generated links for the users’ files shared on chats.
As a standard, the app generated previews of the media, such as pictures and videos, or the private messages, when both the sender and the recipient had this app. But, in case the recipient didn’t have the app, a clickable URL would appear that would lead the recipient to the shared media.
The researchers found that this URL generation followed a sequential path. As described in their post,
Accessing the link was possible without any authentication or authorisation, meaning that any user with the link is able to view the content. In addition, the URL link was sequential (hexadecimal) and predictable. Furthermore, when sharing media files, a link will be generated regardless of the recipient having the app installed.
Hence, it became possible for an adversary to guess the URLs and retrieve the media shared earlier by the users. Also, an adversary could follow the same to continue accessing future media as well.
This behavior threatened the security and confidentiality of the users’ chats and sensitive media shared via the app.
Google Removed The App From Play Store
Upon finding the vulnerability, the researchers made several unsuccessful attempts in contacting the app developers.
Hence, after continuous failure since August 2020, they eventually stepped ahead for public disclosure.
At that time, the app remained live on Play Store. However, it seems that Google removed the app from the Play Store after this report. The app link shows it unavailable.
Although, the other apps from the same developers are still live. Yet, their website is presently unavailable and is displaying a weird message (image below).
Before removal, GO SMS Pro boasted over 100 million downloads on Android. It means that the app’s vulnerability risked millions of users.
While it no more exists on the Play Store, users must ensure removing the app from their devices as well. Also, they must check and review the integrity of any sensitive documents shared via this app to prevent any mishap in the future.