An Android app with more than 10 million downloads left users’ selfies, pictures, audio messages, and other sensitive data exposed online for all to see. The app, called Drupe, was once named a “Google Play Editor’s Choice.”
Drupe promises users to help them "forget" about traditional phonebook apps, allowing them to get in touch with their contacts all in one place with calls, text messages, audio messages and integrating with other popular apps like WhatsApp, Skype and Hangouts, among others. The Next Web called it “a cleverly designed dialer every Android user should try.” Google featured Drupe in a recently deleted (but archived) post on the Android Developers website, praising the developers and awarding it a “Google Play’s Editor’s Choice.”
But its developers made a huge mistake. Until this week, Drupe users were unknowingly uploading some of their data to unprotected and unauthenticated servers on Amazon Web Services. This meant that anyone who knew where to look could access Drupe’s users pictures, audio messages, and potentially more.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Security researcher Simone Margaritelli started researching the app on Saturday. When he looked into it, he found the insecure servers and started live-tweeting his discoveries without naming the app he was looking into. When Margaritelli told me about the app, he pointed me to the servers and I was able to verify that, indeed, they were publicly accessible to anyone who knew where to look. I was able to access several users’ pictures and even audio recordings of messages.
Margaritelli told me that, in theory, one could also enumerate the user ids, which were easy to guess, and access all their metadata, including call logs, sms, multimedia messages, and more.
"The amount of data left online is crazy," Margaritelli told me in an online chat while the data was still available over the weekend. He estimated that there were billions of images and audio messages left online.
A Drupe spokesperson said in an email that the company “fixed the bug within an hour” after they were alerted of it, and deleted the files left online. The spokesperson, however, said they are still investigating how long those files were exposed. As of Tuesday, the servers that were previously accessible are not anymore.
In a blog post, Drupe said the exposed files were sent via the Drupe Walkie Talkie feature and a another feature that allows users to share images during a call. These features, the company’s CEO said, were used by “less than 5% of Drupe users.”
After this article was published, the Drupe spokesperson denied there were billions of files exposed, as Margaritelli said.
"The security vulnerability that was discovered impacted several dozens of thousands of files, effecting less than 3% of all drupe users who chose to use very specific features.," the spokesperson said in a statement. "We immediately fixed and secured the bug and then deleted all of the effected data. We also eliminated until further notice the features that were impacted all together, and we notified our users of these events."
Margaritelli thinks Drupe was created with the goal or harvesting users’ data, and pointed to the fact that Drupe requests multiple permissions from its Android users—gaining access to almost everything you can think of: camera, call logs, audio, calendar, Bluetooth—as suspicious.
“Regardless of whether the app is malicious or not, it has no logical reason to gather all this data and store it on its servers,” he told me. “It’s a good habit to check the permissions requested by each app you use and, if not strictly necessary, avoid installing such invasive apps.”
In its statement, Drupe said: "All of the permissions requested by Drupe to access users data are strictly needed to operate drupe service features and are never used for any purpose other than for providing these features. No user data, under any circumstances, is being shared with third parties for their commercial uses nor is any user data commercialized in any way. drupe's business model is completely based on in-app purchases and advertisement."
After he posted a thread about his discoveries on Saturday, someone else figured out what app he was talking about and reported it to Google, Margaritelli told me. As of Tuesday morning, the app is not available on the Play Store. You can see an archived version of it here. And the app also exists for iPhone.
A Google spokesperson said in a statement that the company is "in contact with the developer about the app's handling of user data."
UPDATE, May 8, 4:06 p.m. ET: This story was updated to include new comments from Drupe.
UPDATE, May 8, 5:53 p.m. ET: This story was updated to include a statement from Google.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.