With technology forever advancing, we find more convenience and improvements to life with new apps being launched every day. From tracking health and fitness to tracking budgets and spending, there’s an app for it all. But when it comes to giving out your personal data or your live location, these apps may not be the safest choice. It was found recently that a family tracking app was leaking real-time locations of over 2,38,000 users for weeks. The reason: the app developer had left a server exposed without a password.
Family Locator, quite popular in the market, was built by React Apps, an Australian-based software house. The app enables family members to keep a track on each other. So spouses or parents can keep a track on each other or their children. Users can also set up geofence alerts that enable notifications to be sent to a family member when they enter or leave a particular location. For example, if the child enters school, the parent would receive a notification.
But the app developer had left the backend MongoDB database exposed, with no password to protect it. Anyone who had the knowledge and technical know-how could access this information. With mobile app hacking on the rise, the need for security and encryption is now more than ever.
The issue was found and reported to TechCrunch by Sanyam Jain, a security researcher and member of the GDI Foundation.
After reviewing the database, it was found that each account had data recorded of the user’s name, profile photo, email address and a plain text password. These accounts recorded their own and their family’s real-time locations, accurate to a few feet. Though we may feel secure that our accounts are password-protected,
Users who opted to have a geofence alert also had the location coordinates recorded in the database along with the name users gave them such as “work”, “school” or “home”. All of this data available was not encrypted.
The contents of the database were verified by TechCrunch once they downloaded the app and signed up using a dummy email address. In no time, the real-time location appeared in the database as precise coordinates.
TechCrunch contacted a random app user who was shocked to find out about the exposed data. The Florida-based user, who chose to remain anonymous, confirmed that the coordinates were correct and that the location was their business. The user also confirmed that the family member listed on the app was their child who studied at a high school close by.
Other records were reviewed to discover more real-time locations of children and parents.
Though TechCrunch tried contacting the developer for a week, there was no response. ReactApps had no contact information on their website which had a privacy-enabled hidden WHOIS record that masked the email address of the owner.
After purchasing the company’s business records from the Australian Securities & Investments Commission, it was found that the company is owned by Sandip Mann Singh, but there was no contact information attached.
Several messages sent by TechCrunch through the company’s feedback form on the website went in vain as no acknowledgment or response was received.
Finally, Microsoft was contacted as the database was hosted on its Azure cloud. A few hours later, the database was taken offline.
Singh has still not acknowledged the data leak. It is unknown for exactly how long the database was left exposed.
Knowing the level of cybercrime that is prevalent in the world, as individuals, we need to take care of what apps we use along with what terms and conditions we agree to, and what permissions we grant. A recent M-Commerce report conducted by Appknox showed that 84% of mobile apps have high levels of vulnerability.
So while trying to ensure the safety of your family, these tracking apps can lead to personal data falling into the wrong hands which could spell all sorts of trouble. For now, the data is safe, however, it is not known if anyone else, other than Jain and TechCrunch, accessed the data before it was pulled offline.