Security Vulnerability in 'Call Recorder' App Exposed User Conversations

A security flaw in an app called "Call Recorder" exposed thousands of customer conversations, reports TechCrunch. The vulnerability was found by PingSafe AI researcher Anand Prakesh, and has since been patched.

call recorder app
The Call Recorder app is designed to allow iPhone users to record their incoming and outgoing phone calls, with those recordings stored in the cloud on Amazon Web Services.

Using a proxy tool like Burp Suite, Prakash was able to view and modify network traffic going in and out of the app, and when replacing his phone number with the phone number of another Call Recorder user, their recordings became available on his phone.

There were more than 130,000 audio recordings available, though the files could not be accessed or downloaded outside of the app. TechCrunch informed the developer about the security flaw and it was fixed in an update on Saturday.

A recent report from mobile security firm Zimperium suggested that thousands of iOS apps that use public cloud services like Amazon Web Services, Google Cloud, and Microsoft Azure have improper setups that risk exposing user data.

6,608 iOS apps were found to be exposing users' personal information, passwords, and medical information. Zimperium CEO Shridhar Mittal said that cloud storage misconfigurations are a "disturbing trend."

"A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up and, because of that, data is visible to just about anyone. And most of us have some of these apps right now," he said.

No apps were named in the report because of the vulnerabilities involved, but some were major apps including a mobile wallet from a Fortune 500 company and a transportation app from a large city.

Tags: App Store, AWS

Top Rated Comments

Rigby Avatar
8 months ago

Anything goes in the walled garden as long as Apple gets its pound of flesh.

Remember when they said it was going to be curated?
If you expected Apple to be able to somehow detect every bug or vulnerability in every 3rd party app, you have completely unrealistic expectations.


You're safer using the open Web, thanks to the protections of Google.
Thanks for the laugh.
Score: 9 Votes (Like | Disagree)
MichaelMaier Avatar
8 months ago

I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.
Correct me if I’m wrong, but in most US states you only need the consent from one participant of a recorded conversation.
Score: 5 Votes (Like | Disagree)
69Mustang Avatar
8 months ago

I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.
The laws in the US vary by state and jurisdiction. Some have 2 party consent, others only require 1 party. You are right that with consent, the recording can be used as evidence in court. I live in a 1 party consent state. Fyi, 37 other states and the District of Columbia are also 1 party consent.

With that knowledge in hand, it's not really that hard to fathom why people record calls.
Score: 4 Votes (Like | Disagree)
deevey Avatar
8 months ago

I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.
Try calling any customer service dept multiple times. Half the time they deny having a log of the previous complaints or fail to relay the call correctly.

Being able to play the call back to their supervisor - priceless !
Score: 4 Votes (Like | Disagree)
Apple_Robert Avatar
8 months ago

Anything goes in the walled garden as long as Apple gets its pound of flesh.

Remember when they said it was going to be curated?

You're safer using the open Web, thanks to the protections of Google.

If you use Safari Fraudulent Website Warning (which you probably do by default), that's a Google feature (Apple sends the URLs to Google's servers to check them).

None of this makes Apple look good in its antitrust hearings where they say consumers trust them to have a safe app store and thus can't allow third party app stores or payment services.
How is the subject of the article Apple's fault?
Score: 3 Votes (Like | Disagree)
dk001 Avatar
8 months ago

I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.
Sadly not true.
Recently wrapped up a legal issue where party A in a State without dual consent could record and use everything while the other side living in a dual party consent State could not.

Then again it can be fun to put "your call may be recorded for quality purposes..." on your line. :eek: The telemarketers hang up fast.
Score: 2 Votes (Like | Disagree)

Related Stories

play store google

Google to Limit Which Apps Can See Other Installed Apps on Android Devices, Evoking Similar Privacy Changes Apple Made in iOS 9

Saturday April 3, 2021 3:23 am PDT by
Google will soon make it harder for third-party apps to see what other apps are installed on a user's Android device, a policy change that evokes similar privacy protections Apple introduced in iOS 9, way back in 2015. According to XDA-Developers, upcoming amendments to Google's Developer Program Policy will limit which apps can access an Android user's full list of installed apps. As noted...
wwdc 2021 live coverage

WWDC 2021 Apple Event Live Keynote Coverage: iOS 15, macOS 12, and More

Monday June 7, 2021 9:02 am PDT by
Apple's all-online Worldwide Developers Conference (WWDC) starts today with the traditional keynote kicking things off at 10:00 a.m. Pacific Time. We're expecting to see a number of announcements, including iOS 15, macOS 12, watchOS 8, and tvOS 15, but it's unclear what else we'll be seeing at the event. While there had been some claims of redesigned MacBook Pro models making an appearance...
appleservices

Apple Services Revenue Hits All-Time Record High of $16.9 Billion in Q2 2021

Wednesday April 28, 2021 2:28 pm PDT by
Apple's services category, which includes the App Store, Mac App Store, Apple Music, Apple Pay, AppleCare, Apple TV+, Apple Arcade, Apple News+, Apple Fitness, and more, saw record growth during the second fiscal quarter of 2021 (first calendar quarter). According to Apple's earnings report, the services segment brought in $16.9 billion, up 27 percent from the $13.4 billion in revenue...
apple bitcoin app scam

Bitcoin Scam App Approved by Apple Robs iPhone User of $600,000+

Tuesday March 30, 2021 12:30 pm PDT by
A scam bitcoin app that was designed to look like a genuine app was accepted by Apple's App Store review team and ended up costing iPhone user Phillipe Christodoulou 17.1 bitcoin, or upwards of $600,000 at the time of the theft, reports The Washington Post. Christodoulou wanted to check on his bitcoin balance back in February, and searched Apple's App Store for "Trezor," the company that...
Facebook Feature

Facebook Data for Over 535 Million Users Leaked on Hacker Website

Monday April 5, 2021 2:10 am PDT by
The personal details of more than 553 million Facebook users have been published on a website for hackers, according to multiple reports over the weekend. The details appeared on Saturday, according to Business Insider, and are also available in 106 different country-based packages, included 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in...
apple security banner

macOS 11.3 Patches Security Vulnerability That Bypassed Built-In Malware Protections

Monday April 26, 2021 11:03 am PDT by
Apple today confirmed to TechCrunch that the just-released macOS 11.3 software update patches a security vulnerability that reportedly could have allowed a hacker to remotely access a user's sensitive data by tricking a user into opening a spoofed document. "All the user would need to do is double click — and no macOS prompts or warnings are generated," said security researcher Cedric...
google privacy labels

Google Plans to Add Privacy Labels to Play Store Apps Next Year

Thursday May 6, 2021 11:57 am PDT by
Apple with iOS 14 introduced App Privacy labels for App Store apps, which are designed to let customers know details about the data that an app will collect about them before they make the decision to install an app. Google is planning to follow in Apple's footsteps with the Play Store, introducing a new feature that will require developers to provide transparency into how apps are using...
f1623085603

Apple Announces iOS 15: First Look at New Features

Monday June 7, 2021 10:07 am PDT by
Apple today previewed iOS 15, the company's next major update for the iPhone, featuring new video calling capabilities, improvements to Messages, user statuses, a smart notification summary, and more. FaceTime In iOS 15, FaceTime features a new grid view and portrait mode support for video. For audio, FaceTime calls now offer Spatial Audio so that voices sound as if they are coming from...
eufy indoor security cameras

Major Privacy Breach as Eufy Security Camera Owners Report Seeing Other Users' Video Feeds

Monday May 17, 2021 5:02 am PDT by
Owners of Eufy home security cameras are this morning reporting seeing live and recorded feeds show up in the Eufy app from other users' cameras, in what appears to be a disturbing breach of privacy and a major malfunctioning of the company's service. As with many connected domestic security cameras, Eufy cameras offer users the ability to view real-time and recorded streams of video feeds...
macOS Big Sur Feature Blue

Update to macOS 11.4 NOW - Someone Could Be Spying On You

Sunday May 30, 2021 9:40 am PDT by
Apple's recently released macOS Big Sur 11.4 update addresses a serious security vulnerability, so all users should complete the software update immediately. Jamf, a mobile device management company, raised a major security issue in macOS Big Sur that allowed attackers to piggyback apps like Zoom to surreptitiously take screenshots and record the screen. The exploit allowed a user's Privacy...