A popular substitute for Google messages exposed private user data

Upgrade to SMS Pro, a popular third-party SMS app with over 100 million installs from its Google Play list, just shipped with a critical flaw.

Security researchers from TrustWave Company found that the application was carelessly exposing user data by uploading files shared in the application to a public URL. After trying and not contacting the app developers, they reached out to the guys at TechCrunch with their findings.

TechCrunch explained:

When a Go SMS Pro user sends a photo, video or other file to someone who does not have the app installed, the app uploads the file to their servers and allows the user to share a web address via text message so that the recipient can view the file without installing the application. But the researchers found that these web addresses were sequential. In fact, every time a file was shared, even between application users, a web address was generated independently. This meant that anyone who knew the predictable web address could go through millions of different web addresses to users’ files.

The researchers noted that although it was not possible to target any single user with Go SMS Pro, someone could cast a huge fishing net and extract a large amount of private data. TechCrunch was able to find “the person’s phone number, a screenshot of a bank transfer, an order confirmation that included someone’s home address, an arrest record” and several compromising photos. In the meantime, the app developers have been absent, so it’s unlikely that the problem will be fixed anytime soon.

Shop NOW for some of the best Black Friday deals on the internet!

Some of the best features of Android are its customization and modularity. You can exchange parts of the phone software with third-party versions created by other developers. It takes a lot of trust given to developers, especially when it comes to data like SMS messages, and sometimes that trust is not rewarded.

Although the app has over a hundred million downloads, it’s unclear how many of them are recent. Most Android phones sold in 2020 come with Google Messages as their default messaging app, and users still prefer to use end-to-end encrypted apps like Telegram and WhatsApp. If you have this app installed, it goes without saying that you should probably get rid of it.