iPhone app exposed other people's call recordings

iPhone app exposed other people’s call recordings

Video and audio are huge privacy concerns for people. If something goes wrong with tech it can have major ramifications. You’re likely very familiar with warnings about video. However, audio hasn’t always been so prominent. It’s only really since the rise of home assistants like Amazon’s Alexa that audio worries have gone mainstream.

Turning up the volume on audio threats

Bluetooth earphones and similar devices have only helped to raise awareness of potential issues, as we consider the tools we use the most. As per the link, it’s generally a lot harder to secure sound than vision. There isn’t an audio equivalent of the bit of tape over your webcam. You’re dealing with the innards of your device and that’s not for everyone. Either the hardware tinkering is beyond them, or their audio setup is a confusing mess of six audio devices and brand-specific audio controls.

It isn’t easy, and that’s just for desktop. Mobile is another proposition altogether, being an incredibly personal device yet something of a mystery-box to many owners. How does your Android phone work? Which version of Android is it even? How do the basic settings differ on your phone from mine? You’re giving me an iPhone for work? Sorry, I’ve never used one of those before.

These are just a sample selection of the things you’ll run into if you’ve ever been nominated your household’s Christmas season tech support. Worse, a lot of what seems to happen on a phone actually happens in the cloud (such as interpreting voice commands), where it’s completely beyond your reach.

Which brings us neatly to a recent discovery.

Listening in to someone else’s recordings

Researchers found an issue with an iPhone call recording app, which boasts of “more than 1,000,000 downloads”. Used to record and share clips via email, or saved to storage solutions such as Dropbox and Google Drive, it offers a fair bit of flexibility for people in need of some audio recording.

The researcher who discovered the vulnerability used various security testing tools to view and modify network traffic used by the app. From there, they discovered it was possible to replace their own phone number with someone else’s. With that done, recordings from that phone (located in the cloud, on an Amazon AWS bucket) were available to them, without a password. The entire call history and the numbers calls were made on were also available, at least until the app was updated and the problem fixed by the developers.

Or, as the researchers at PingSafe put it:

The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim’s data

Considering the kind of recordings people could make, this is a worrying thing to have happened. Think of all the business sensitive conversations people might have, or personal discussions, random thoughts, or anything else. Yes, we can argue people shouldn’t upload mission critical work conversations into the cloud (or even a laundry list of complaints about their neighbour). However, if you give people a recording app then record they will.

The perils of audio data in the cloud

TechCrunch reports there were 130,000+ audio recordings, weighing in at some 300GB in size, in the storage bucket. That’s a lot of potential for mischief, pranks, trolling, or just plain old blackmail and extortion. If we’re lucky, the only person who noticed this was the researcher who reported it.

Audio has always been a source for security and privacy concerns. Whether we’re talking fake Twitch audio fixes or where people’s data ends up, it’s always worth keeping in mind.

It might not be as visible a concern as the usual security hot-spots on your laptops and mobile devices, or as obvious as video. All the same, it’s an important part of your overall security hygiene.

This is probably an excellent moment to check:

  • if your audio software need updating
  • your streaming accounts are secure
  • you’re happy with any audio files kept in the cloud

Follow these steps and hopefully your audio security will soon catch up with your visual-based best practices.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.