A bug in a popular iPhone app exposed thousands of call recordings

A security vulnerability in a popular iPhone call recording app exposed thousands of users’ recorded conversations.

The flaw was discovered by Anand Prakash, a security researcher and founder of PingSafe AI, who found that the aptly named Call Recorder app allowed anyone to access the call recordings from other users — by knowing their phone number.

But using a readily available proxy tool like Burp Suite, Prakash could view and modify the network traffic going in and out of the app. That meant he could replace his phone number registered with the app with the phone number of another app user, and access their recordings on his phone.

TechCrunch verified Prakash’s findings using a spare phone with a dedicated account.

The app stores its user’s call recordings on a cloud storage bucket hosted on Amazon Web Services. Although the cloud storage server was open and listed the files inside, the files could not be accessed or downloaded. The bucket was closed by press time.

Data is the world’s most valuable (and vulnerable) resource

At the time of writing, the cloud storage bucket had more than 130,000 audio recordings, amounting to some 300 gigabytes. The app says it has more than 1 million downloads to date.

TechCrunch contacted the app developer and held this story until the flaw was fixed. A new version of the app was submitted to Apple’s app store on Saturday. The release notes said the app update was to “patch a security report.”

Despite a brief response to our initial email acknowledging the security issue, the app developer Arun Nair has not returned several requests for comment.

Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using SecureDrop.

Apple releases important iPhone, iPad, Mac and Watch security patches