An App for sending and receiving SMS messages called Go SMS Pro for Android terminals is indiscriminately filtering all kinds of private data of its 100 million users. This is what a security company called Trustwave has detected, which contacted the developers of this App three months ago to notify them (free of charge) of this security problem. However, the developers have not even answered, and of course, they have not solved the problem, which we will tell you below.
Go SMS Pro has a system that allows users to upload images, videos or any other file to their own servers. This is done automatically and by default with any message they send with this App, in which they attach any type of media. These contents are stored on the Go SMS Pro servers even if the user on the other side, the one who receives the message, has already downloaded them. But this is not the real problem; Where they have been totally wrong is that these attached files are all uploaded using a progressive sequence, that is, a number in the file name. Knowing the URL of one of them (and the App itself gives you that URL), by simply changing the number it is possible to see the files sent by other users of the App.
Thus, in a few minutes, it is easy to see all kinds of photos, videos (obviously many of them explicit) but also all kinds of documents with bank account data, addresses, names, passwords… the situation is very serious because users who They use this App they do not think that this is happening.
From Trustwave they indicate that since they have not received any response from the developers, they make this vulnerability public to warn users and that they do not send important data through this App, to prevent their privacy from being compromised.
In the iPhone App Store, these types of problems, although not impossible, are more difficult to occur because the Apps review team also checks the connections and checks for these types of problems. The way to fix what Go SMS Pro does is to use a hashed filename, a very long alphanumeric code created randomly and unique for each file. Furthermore, the request connections for these files should be limited to those that the App can make, and not any computer or smartphone with Internet access. Lastly, those connections should be encrypted, but amazingly, they are not. They use the http:// protocol instead of https:// – that is, there are no SSL certificates that encrypt the end-to-end transfer of that data. Go SMS Pro most likely would not have been accepted in the App Store for this reason.