28
Nov
hi-256-1-2d6ea0781efe854da3f578c92768bf0e2f05815e

If you're a Total SMS Control user, you may be interested in the latest findings of our good buddy Justin Case. He uncovered some rather alarming info within the app, and by alarming, I mean a crapload of exposed data, including SMS messages, emails, call logs, phone numbers, contact information, and GPS location. Yeah.

For the uninitiated, Total SMS Control is an app used to "spy" on other mobile phones. For example, if you install TSC on your child's (or spouse, employee, etc.) phone, it will sit silently in the background collecting emails, text messages, GPS location, and more. The collected data is then forwarded to an account of your choosing, be it email or SMS. In other words, this is a shady app to begin with - but here's where it gets scary.

compromised.png  1386×789  compromised_overview.png  1386×789

A small fragment of the stored information

J Case cracked open the APK, and what did he find? The email addresses that TSC uses to send the extracted data, along with the password, all right there, in plain text. Turns out that TSC uses multiple email addresses to forward the requested information to the spy-er, and every single one of them is hardcoded into the APK. To make matters worse, the password is also hardcoded into the APK, and it's the same password for every account.

compromised2.png  1386×789  compromised5.png  1386×789

Names have been blurred to protect the innocent.

What does this mean? Well, in short, it means that anyone who has been using Total SMS Control has potentially exposed all of the data of the device they were spying on. Anyone who can crack open an APK (read: anyone) can easily access the Gmail accounts used to route the requested data. The dev could've at least setup a failsafe filter that deleted all data coming into the account after it had been forwarded to the appropriate channel, but he didn't even do that. There were an estimated 40,000 emails within the accounts - all just waiting to be read.

Before you really start to panic, though, J Case informed the dev of this issue before this article was written, and it is said to have been fixed. Not only did the dev remove the account credentials from the APK, but he also deleted all of the 40,000 messages from the existing Gmail accounts.

The moral of this story? Users - don't assume your data is always safe.

Devs - please take more caution when toying with the private data of thousands of users.

Cameron Summerson
Cameron is a self-made geek, Android enthusiast, horror movie fanatic, and musician. When he's not pounding keys here at AP, you can find him spending time with his wife and kids, plucking away on the 6- or 7-string, or watching The Texas Chainsaw Massacre on repeat.

  • http://www.cyanogenmod.com ciwrl

    Twitter trolling, IRC trolling, and White Hatting; where does jcase find all the time xD

    • http://twitter.com/#!/brandonjnunn bjn714

      The funniest part of the whole thing is the picture of the hijacked email account telling you to enable 2 step verification to prevent hijacking. lol

  • Nobody

    Dude, fuck you if you use this app. Not only are you doing a shitty thing by invading someone's privacy, but now you're potentially exposing their shit to Anyone?

    GREAT. Whatever reason you're trying to monitor someone's shit, it's almost guaranteedly not a good reason.

    • http://trsohmers.com trsohmers

      Read that last two paragraphs genius... Jcase contacted the developer and had this patched before. "White Hat Hacking"/Security Research is a GREAT thing, and Jcase is very good at doing it... he has helped both the general Android community and Android Application Developers through this sort of work by showing poor security, which discourages bad development techniques, PLUS weeds out the malicious developers and apps.

      Well done, you burrito loving troll... well done.

      • Geraldo Riviera

        Wow, such a nasty nastygram. You should read a post carefully before being so unpleasant.

    • Beesley

      Guaranteedly? lol

    • http://www.AndroidPolice.com Artem Russakovskii

      I've asked the guys to update the article, but what's not mentioned is we used responsible disclosure and notified both Google Security and the author, who then had the accounts disabled before we went live with the story. I'm waiting for a confirmation on that 100% from jcase, but that's my impression after talking to him last night.

      • jcase

        The said he changed the passwords on the accounts, and deleted the contents.

  • http://www.theandroidsite.com Ben Marvin

    Wow. I wonder how many other apps have the same sort of problem. Obviously not every app that sends something out to a server somewhere does it securely.

  • jcase

    Yes, I contacted both the developer and the Android security team at Google and waited for the dev to fix the problem before publishing.

    • http://www.cyanogenmod.com ciwrl

      Noble troll is noble

      Inb4 blind rage readers! :)

  • Sharon

    Why was the dev using *gmail* of all things to send out these messages? And probably a free account, no less. Were they that hard up for server space for their own SMTP?

  • Peter

    Goes to show you cannot have any expection of privacy when you use these kinds of apps.

  • AndroidGeek

    I use the App, it is awesome, it is the best at what it does. The developer had long fixed the issue by responding to a review by a user on its market review page about sending mails from a certain auto.fwd.xxxxxxxxx Gmail account. The developer fixed it almost immediately in another update by forcing users to use their own outgoing Gmail account. I suppose those mails are for the few users who have not yet updated the app. Perhaps developer was giving them some grace period before completely pulling down the Gmail account which you guys have made him pull down. Well done guys and well done Developer for swiftly responding to issues and perfecting the app......cheers.

    • jcase

      The problem was not long fixed, as the accounts were still active, and logins still included in the APKs of the current version, as of two days ago. You can see the dates in the screen shots.

      • AndroidGeek

        oh...I am glad the issue is fixed now. Well done guys..

  • Honu

    Well... bulletproof programming, password right in the app.. :-)

  • Rara

    So if I can no longer sign into my gmail (account has changed or login changed) <<<that's the message.. what does that mean. i use this, and this is what i got? can anyone help me understand how to avoid this problem.. do I simply need to update the program?