How Not To Design An App That Deals With User Authentication: Total SMS Control Potentially Exposed Private Data Of Thousands Of Users

Android Police

By Cameron Summerson

Published Nov 28, 2011

If you're a Total SMS Control user, you may be interested in the latest findings of our good buddy Justin Case. He uncovered some rather alarming info within the app, and by alarming, I mean a crapload of exposed data, including SMS messages, emails, call logs, phone numbers, contact information, and GPS location. Yeah.

For the uninitiated, Total SMS Control is an app used to "spy" on other mobile phones. For example, if you install TSC on your child's (or spouse, employee, etc.) phone, it will sit silently in the background collecting emails, text messages, GPS location, and more. The collected data is then forwarded to an account of your choosing, be it email or SMS. In other words, this is a shady app to begin with - but here's where it gets scary.

^{A small fragment of the stored information}

J Case cracked open the APK, and what did he find? The email addresses that TSC uses to send the extracted data, along with the password, all right there, in plain text. Turns out that TSC uses multiple email addresses to forward the requested information to the spy-er, and every single one of them is hardcoded into the APK. To make matters worse, the password is also hardcoded into the APK, and it's the same password for every account.

^{Names have been blurred to protect the innocent.}

What does this mean? Well, in short, it means that anyone who has been using Total SMS Control has potentially exposed all of the data of the device they were spying on. Anyone who can crack open an APK (read: anyone) can easily access the Gmail accounts used to route the requested data. The dev could've at least setup a failsafe filter that deleted all data coming into the account after it had been forwarded to the appropriate channel, but he didn't even do that. There were an estimated 40,000 emails within the accounts - all just waiting to be read.

Before you really start to panic, though, J Case informed the dev of this issue before this article was written, and it is said to have been fixed. Not only did the dev remove the account credentials from the APK, but he also deleted all of the 40,000 messages from the existing Gmail accounts.

The moral of this story? Users - don't assume your data is always safe.

Devs - please take more caution when toying with the private data of thousands of users.