The Drupe App is Back on Google Play Store Following Vulnerability
Popular dialer app Drupe is now back on the Google Play Store, following security vulnerability, for anyone who’d want to download it.
A few days ago, a security vulnerability was discovered in Drupe that led to it being removed from Google Play Store; the vulnerability was serious and left personal data of tens of thousands of users open to anyone who wanted to view it. But now, just days after it was removed, Drupe is once again back on the Google Play Store for anyone to download. Experts, however, are not sure as to how many users would like to have the app now after the discovery of the vulnerability.
It was security researcher Simone Margaritelli who brought to light security issues that Drupe had. Simone Margaritelli live-tweeted the findings without naming the app. Later he continued the discussion with Motherboard writer Lorenzo Franceschi-Bicchierai, who authored a blog post titled ‘Android App With 10 Million Downloads Left Users’ Photos and Audio Messages Exposed to Public’.
In the blog post, dated May 8, 2018, Lorenzo Franceschi-Bicchierai says- “An Android app with more than 10 million downloads left users’ selfies, pictures, audio messages, and other sensitive data exposed online for all to see. The app, called Drupe, was once named a “Google Play Editor’s Choice.””
He continues- “Security researcher Simone Margaritelli started researching the app on Saturday. When he looked into it, he found the insecure servers and started live-tweeting his discoveries without naming the app he was looking into. When Margaritelli told me about the app, he pointed me to the servers and I was able to verify that, indeed, they were publicly accessible to anyone who knew where to look. I was able to access several users’ pictures and even audio recordings of messages…Margaritelli told me that, in theory, one could also enumerate the user ids, which were easy to guess, and access all their metadata, including call logs, sms, multimedia messages, and more.”
Google removed Drupe from the Google Play Store when someone who could guess out which app Simone Margaritelli was referring to reported the matter to Google.
Drupe, on being alerted to the issue, had reportedly fixed the bug in an hour; a blog post by the Drupe team said that the exposed files were sent via the Drupe Walkie Talkie feature. The blog post says- “On May 6th, 2018 we revealed that our server had a security vulnerability, potentially enabling unauthorized access to certain users’ media flies and images sent using drupe Talkie or drupe’s proprietary image sharing feature… This vulnerability affected messages which were sent using drupe Walkie Talkie feature, or images sent via the image sharing feature during a call via drupe special messaging infrastructure (these features have been used by less than 3% of our users). To the best of our knowledge, having checked our systems, it didn’t affect any other drupe features or users…Once informed about the potential breach, we immediately blocked all access to Talkie and images stored on our servers.”
The whole issue has raised issues as regards the data that Drupe collects from its users; questions have been raised on whether Drupe really needs that much of information.
There is the opinion that Drupe has no logical reason to gather all the information that it gathers and then stores on its servers. Simone Margaritelli, who calls Drupe a data harvester app, had also posted on Twitter a screenshot of the many permissions Drupe gets from its users. Drupe has reportedly stated that it needs all the permissions that it requests from its users, to access user data that is needed to operate Drupe service features. Drupe has reportedly clarified that these data are never used for any other purpose and under no circumstances is any part of the data shared with third parties.
Well, as Drupe is now back on the Google Play Store and the vulnerability addressed, all seems well. But, users have the right to ask Drupe what the company would be doing to assure them that such a vulnerability won’t happen again and that the personal data that they allow Drupe to access are all safe…
Drupe, in its blog post, re-iterates- “The security of our users’ data is our top priority. It will always be so.”
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.