Google made a big noise with the conclusion of the global launch of RCS and its next steps to ensure its security on Android through end-to-end encryption. Coincidentally, the latest security news highlights why this development is critical in a post-SMS world. An alternative SMS application once popular on Android apparently exposed any photo, video or file that its users shared and its developers conveniently fell silent when notified about the security lapse.
GO SMS Pro, which is just one of the many GO branded apps available on the Google Play Store, peaked in popularity in the early days of Android, when third-party SMS apps were in fashion. These applications tried to offer advanced features beyond what the old SMS could support, such as sharing photos and videos with other users. The way the application implemented this was quite trivial, but, unfortunately, also insecure.
The application apparently uploaded the shared files to a remote server and generated a URL so that anyone can view the file, even if they are not using GO SMS Pro. Unfortunately, this “anyone” turned out to be literally anyone, since the files were not encrypted and links to them were simply numbered sequentially in a predictable manner. In other words, once someone with skill got one of these links, he could easily go through all the files stored on the server, which included screenshots of confidential and private information.
To make matters worse, the app’s developers did not fully respond to the report. Trustwave, which discovered the problem, contacted the developers in August as part of due disclosure procedures. An email was returned and no reply was received. After three months, security researchers decided it was time to go public with the vulnerability.
It is true that this behavior is not something that Google Play Store security checks would have easily detected, as it is a server-side behavior. It may not even be against any Android policy, although it makes the glaring and glaring mistake of not employing the best security practices in the first place.