Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,460
39,292


A security flaw in an app called "Call Recorder" exposed thousands of customer conversations, reports TechCrunch. The vulnerability was found by PingSafe AI researcher Anand Prakesh, and has since been patched.

call-recorder-app.jpg

The Call Recorder app is designed to allow iPhone users to record their incoming and outgoing phone calls, with those recordings stored in the cloud on Amazon Web Services.

Using a proxy tool like Burp Suite, Prakash was able to view and modify network traffic going in and out of the app, and when replacing his phone number with the phone number of another Call Recorder user, their recordings became available on his phone.

There were more than 130,000 audio recordings available, though the files could not be accessed or downloaded outside of the app. TechCrunch informed the developer about the security flaw and it was fixed in an update on Saturday.

A recent report from mobile security firm Zimperium suggested that thousands of iOS apps that use public cloud services like Amazon Web Services, Google Cloud, and Microsoft Azure have improper setups that risk exposing user data.

6,608 iOS apps were found to be exposing users' personal information, passwords, and medical information. Zimperium CEO Shridhar Mittal said that cloud storage misconfigurations are a "disturbing trend."

"A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up and, because of that, data is visible to just about anyone. And most of us have some of these apps right now," he said.

No apps were named in the report because of the vulnerabilities involved, but some were major apps including a mobile wallet from a Fortune 500 company and a transportation app from a large city.

Article Link: Security Vulnerability in 'Call Recorder' App Exposed User Conversations
 
If you think that’s bad you should see Clubhouse.

Actually don’t. This app is being used to brainwash and steal data and conversations in a very bad way.

Today there was a conversation promoted by Clubhouse right on the front homepage and every member was talking about how to destroy the economy and brainwash the public to accept their view economic and philosophical of the world. It was a straight up dooms day cult.
 
We make a big fuss about big tech but they're worlds ahead of these small app makers in terms of security and privacy. Stop installing every shiny app you see. There are no watchdogs on that one app you just installed.
 
  • Like
Reactions: adrianlondon
Anything goes in the walled garden as long as Apple gets its pound of flesh.

Remember when they said it was going to be curated?

You're safer using the open Web, thanks to the protections of Google.

If you use Safari Fraudulent Website Warning (which you probably do by default), that's a Google feature (Apple sends the URLs to Google's servers to check them).

None of this makes Apple look good in its antitrust hearings where they say consumers trust them to have a safe app store and thus can't allow third party app stores or payment services.
 


A security flaw in an app called "Call Recorder" exposed thousands of customer conversations, reports TechCrunch. The vulnerability was found by PingSafe AI researcher Anand Prakesh, and has since been patched.

call-recorder-app.jpg

The Call Recorder app is designed to allow iPhone users to record their incoming and outgoing phone calls, with those recordings stored in the cloud on Amazon Web Services.

Using a proxy tool like Burp Suite, Prakash was able to view and modify network traffic going in and out of the app, and when replacing his phone number with the phone number of another Call Recorder user, their recordings became available on his phone.

There were more than 130,000 audio recordings available, though the files could not be accessed or downloaded outside of the app. TechCrunch informed the developer about the security flaw and it was fixed in an update on Saturday.

A recent report from mobile security firm Zimperium suggested that thousands of iOS apps that use public cloud services like Amazon Web Services, Google Cloud, and Microsoft Azure have improper setups that risk exposing user data.

6,608 iOS apps were found to be exposing users' personal information, passwords, and medical information. Zimperium CEO Shridhar Mittal said that cloud storage misconfigurations are a "disturbing trend."

"A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up and, because of that, data is visible to just about anyone. And most of us have some of these apps right now," he said.

No apps were named in the report because of the vulnerabilities involved, but some were major apps including a mobile wallet from a Fortune 500 company and a transportation app from a large city.

Article Link: Security Vulnerability in 'Call Recorder' App Exposed User Conversations
How Apple takes care of your privacy....
 
I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.
 
  • Like
Reactions: max2
Anything goes in the walled garden as long as Apple gets its pound of flesh.

Remember when they said it was going to be curated?
If you expected Apple to be able to somehow detect every bug or vulnerability in every 3rd party app, you have completely unrealistic expectations.

You're safer using the open Web, thanks to the protections of Google.
Thanks for the laugh.
 
I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.
Correct me if I’m wrong, but in most US states you only need the consent from one participant of a recorded conversation.
 
I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.
The laws in the US vary by state and jurisdiction. Some have 2 party consent, others only require 1 party. You are right that with consent, the recording can be used as evidence in court. I live in a 1 party consent state. Fyi, 37 other states and the District of Columbia are also 1 party consent.

With that knowledge in hand, it's not really that hard to fathom why people record calls.
 
Why are the recordings even stored anywhere other than on the device? Guess it's a dumb question, since the next thing wrong with this is that they were trusting the clients instead of actually authenticating requests.
 
Anything goes in the walled garden as long as Apple gets its pound of flesh.

Remember when they said it was going to be curated?

You're safer using the open Web, thanks to the protections of Google.

If you use Safari Fraudulent Website Warning (which you probably do by default), that's a Google feature (Apple sends the URLs to Google's servers to check them).

None of this makes Apple look good in its antitrust hearings where they say consumers trust them to have a safe app store and thus can't allow third party app stores or payment services.
How is the subject of the article Apple's fault?
 
If you expected Apple to be able to somehow detect every bug or vulnerability in every 3rd party app, you have completely unrealistic expectations.


Thanks for the laugh.
It's not my expectation.

It's their advertisement.

"The App Store gives people around the world a safe and trusted place to discover apps that meet our high standards for privacy, security, and content."

Their review process has been known for a while to be a bit of a joke.
 
  • Like
Reactions: Rob_2811
How is the subject of the article Apple's fault?
It's not their fault. It's just not what they promise.

They say won't allow third party app stores due to security and safety issues.

They have not proven they are responsible enough to curate apps to only offer safe and secure apps.

They can't even police their new nutrition labels, which have already shown to be fake among many companies.

Yet they say:

"The App Store gives people around the world a safe and trusted place to discover apps that meet our high standards for privacy, security, and content."

Who's to say a third party app store couldn't do a better job?
 
How dare they spy on you spying on your caller!

(Or, do you seriously think all the people using this in two-party states are getting permission?)
 
  • Love
Reactions: peanuts_of_pathos
It's not their fault. It's just not what they promise.

They say won't allow third party app stores due to security and safety issues.

They have not proven they are responsible enough to curate apps to only offer safe and secure apps.

They can't even police their new nutrition labels, which have already shown to be fake among many companies.

Yet they say:

"The App Store gives people around the world a safe and trusted place to discover apps that meet our high standards for privacy, security, and content."

Who's to say a third party app store couldn't do a better job?
Having a bug in your app is not the same thing as purposefully creating an app for nefarious reasons. I believe the app on this article falls into the first category.

You are trying to make Apple look bad here by painting a picture of this event that is not contextually actually as to what you quoted about Apple and the App Store.
 
  • Like
Reactions: dk001
I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.

Sadly not true.
Recently wrapped up a legal issue where party A in a State without dual consent could record and use everything while the other side living in a dual party consent State could not.

Then again it can be fun to put "your call may be recorded for quality purposes..." on your line. :eek: The telemarketers hang up fast.
 
I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.
Try calling any customer service dept multiple times. Half the time they deny having a log of the previous complaints or fail to relay the call correctly.

Being able to play the call back to their supervisor - priceless !
 
Who's to say a third party app store couldn't do a better job?
A third party app store that will entice developers to their store with lower fees than Apple's? How will these third party stores make their money? By collecting and selling your data, and letting as many developers on the store as they can.

And I don't think Epic and their ilk are complaining because they care about the 30/15% fee. It's about access to customer information.
 
  • Disagree
Reactions: chris1958
It would be handy to record the odd business call, are there any other apps people would recommend?
 
It's not their fault. It's just not what they promise.

They say won't allow third party app stores due to security and safety issues.

They have not proven they are responsible enough to curate apps to only offer safe and secure apps.

They can't even police their new nutrition labels, which have already shown to be fake among many companies.

Yet they say:

"The App Store gives people around the world a safe and trusted place to discover apps that meet our high standards for privacy, security, and content."

Who's to say a third party app store couldn't do a better job?
Would you prefer that they deny apps hosting any data on a third party storage solutions altogether and have the developer pay cloud storage fees with using only Apples cloud servers ?

The developer failed to secure their cloud storage in such a way that an unauthorized user could access the data with relative ease.
 
  • Like
Reactions: coolfactor
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.