There’s no native call recording function within iOS, despite earlier rumours suggesting that Apple was thinking of finally introducing the functionality onto iOS 14. Still, a number of third-party apps have offered you the ability to record your phone calls, including one that has a rather straightforward name: Call Recorder. According to the official website, the app is a “Top 20 Business App” in over 20 countries, while the app boasts over 1,000,000 downloads on the App Store.
It’s for good reason, too, with the Call Recorder app able record your calls, edit the recordings, and even upload the tracks to cloud storage services like Dropbox, Google Drive, and Onedrive. However, a security vulnerability has been discovered by the founder of PingSafe AI, a security research firm. Prakash shared his findings on PingSafeAI’s blog, explaining that “we could have listened to anyone’s call recordings”—an ominous headline, to say the least.
What happened?
Basically, the researcher discovered that a bug in the app could have allowed anyone to listen to call recordings from other users on the service—by simply knowing their phone number, and a little technical know-how. The app requires a phone number to register, and Prakash used proxy tools to view and modify the in/out network traffic for the Call Recorder app. Then, he managed to switch his registered phone number for another user’s number, and access that user’s recorded calls—all from his own phone.
According to the report on PingSafe AI, the vulnerability has now been patched by the team, although the folks over at Tech Crunch discovered that over 130,000 audio recordings—about 300GB’s worth—was earlier saved on Call Recorder’s cloud storage server, and possibly susceptible to any potential attackers.
“Anand with the help of PingSafe AI’s threat intelligence product discovered this vulnerability while doing open source intelligence across mobile applications in different categories. PingSafe AI decompiled the IPA file and figured out S3 buckets, host names and other sensitive details used by the application. The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim’s data.”
– PingSafe AI
If you have the app downloaded, remember to update your app to its latest version, which was made available on the 6th of March 2021. When updating, be sure to check if your app is on version 2.26 or later—just to be safe. It’s worth noting that the Call Recorder app has free and premium tiers, but auto-renew will be on by default. If you’re keen, you can read the full, technical breakdown of the vulnerability on PingSafe AI’s blog here.
