An Android app with more than 10 million downloads left users’ selfies, pictures, audio messages, and other sensitive data exposed online for all to see. The app, called Drupe, was once named a “Google Play Editor’s Choice.”
Drupe promises users to help them “forget” about traditional phonebook apps, allowing them to get in touch with their contacts all in one place with calls, text messages, audio messages and integrating with other popular apps like WhatsApp, Skype and Hangouts, among others. The Next Web called it “a cleverly designed dialer every Android user should try.” Google featured Drupe in a recently deleted (but archived) post on the Android Developers website, praising the developers and awarding it a “Google Play’s Editor’s Choice.”
But its developers made a huge mistake. Until this week, Drupe users were unknowingly uploading some of their data to unprotected and unauthenticated servers on Amazon Web Services. This meant that anyone who knew where to look could access Drupe’s users pictures, audio messages, and potentially more.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Security researcher Simone Margaritelli started researching the app on Saturday. When he looked into it, he found the insecure servers and started live-tweeting his discoveries without naming the app he was looking into. When Margaritelli told me about the app, he pointed me to the servers and I was able to verify that, indeed, they were publicly accessible to anyone who knew where to look. I was able to access several users’ pictures and even audio recordings of messages.
Margaritelli told me that, in theory, one could also enumerate the user ids, which were easy to guess, and access all their metadata, including call logs, sms, multimedia messages, and more.
“The amount of data left online is crazy,” Margaritelli told me in an online chat while the data was still available over the weekend. He estimated that there were billions of images and audio messages left online.
A Drupe spokesperson said in an email that the company “fixed the bug within an hour” after they were alerted of it, and deleted the files left online. The spokesperson, however, said they are still investigating how long those files were exposed. As of Tuesday, the servers that were previously accessible are not anymore.
In a blog post, Drupe said the exposed files were sent via the Drupe Walkie Talkie feature and a another feature that allows users to share images during a call. These features, the company’s CEO said, were used by “less than 5% of Drupe users.”
Margaritelli thinks Drupe was created with the goal or harvesting users’ data, and pointed to the fact that Drupe requests multiple permissions from its Android users—gaining access to almost everything you can think of: camera, call logs, audio, calendar, Bluetooth—as suspicious.
“Regardless of whether the app is malicious or not, it has no logical reason to gather all this data and store it on its servers,” he told me. “It’s a good habit to check the permissions requested by each app you use and, if not strictly necessary, avoid installing such invasive apps.”
After he posted a thread about his discoveries on Saturday, someone else figured out what app he was talking about and reported it to Goole, Margaritelli told me. As of Tuesday morning, the app is not available on the Play Store. You can see an archived version of it here. And the app also exists for iPhone.
Google did not immediately comment. We will update this post if we hear back.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.