Security News > 2021 > March > How confidential are your calls? This iPhone app shared them with everyone

How confidential are your calls? This iPhone app shared them with everyone
2021-03-11 19:32

In theory, many exploitable IDOR bugs can be found purely analytically, by reverse engineering the suspect app, without ever actually creating a fake account and running the app itself.

There's no need to spend days analysing an app statically in a decompiler if you can deduce its bugs directly from its own behaviour - you simply give the app a chance to cook its own cybersecurity goose while you take notes.

In this case, the app was called Acr call recorder - for iPhon‪e, and like many App Store apps, it is awash with hundreds, nay thousands, of glowing 5-star reviews.

You can probably guess where this is going, given that many of these 5-star reviews rather curiously recommend a completely different app in their text, or praise the app using peculiar turns of phrase that put forward unlikely and even worrying reasons.

Perhaps the most apposite review, at least until the app was updated after the developer received Anand Prakash's bug report, was Leanne's 5-star review saying "In addition to managing recordings, I can also share them easily when needed. So convenient for me!".

What Leanne left out was that the cloud-based storage feature of the app was convenient not only for her but for everyone else in the world, including those without a copy of the app or even an iPhone.


News URL

https://nakedsecurity.sophos.com/2021/03/11/how-confidential-are-your-calls-this-iphone-app-shared-them-with-everyone/