A popular Google Messages replacement exposed private user data

Go SMS Pro, a popular third-party SMS app with over 100 million installs going off its Google Play listing has just been found to ship with a critical flaw.

Security researchers at the firm TrustWave found that the app was exposing user data carelessly by uploading files shared on the app to a public URL. After trying and failing to contact the app developers, they contacted the folks over at TechCrunch with their findings.

TechCrunch explained:

When a Go SMS Pro user sends a photo, video or other file to someone who doesn’t have the app installed, the app uploads the file to its servers, and lets the user share a web address by text message so the recipient can see the file without installing the app. But the researchers found that these web addresses were sequential. In fact, any time a file was shared — even between app users — a web address would be generated regardless. That meant anyone who knew about the predictable web address could have cycled through millions of different web addresses to users’ files.

The researchers did note that while it wasn’t possible to target any individual user go Go SMS Pro, someone could cast a huge fishnet and dredge up a lot of private data. TechCrunch were able to find “person’s phone number, a screenshot of a bank transfer, an order confirmation including someone’s home address, an arrest record,” and several compromising photos. The app developers have gone AWOL in the meantime, so it’s not likely that this would be fixed soon.

Shop some of Black Friday’s best deals from around the web NOW!

Some of Android’s best features are its customizability and modularity. You’re able to swap out parts of your phone’s software with third-party versions created by other developers. It does require a lot of trust being handed over to developers — especially when it comes to data like SMS messages — and sometimes that trust isn’t rewarded.

While the app does have over a hundred million downloads, it’s not clear how many of those are recent. Most Android phones sold in 2020 ship with Google Messages as their default messaging app, and users prefer to use end-to-end encrypted apps like Telegram and WhatsApp anyway. If you do have this app installed, it goes without saying you should probably ditch it.

Latest posts