A popular Google Messages replacement exposed private user data

Messaging Apps on Android
Messaging Apps on Android (Image credit: Android Central)

What you need to know

  • Go SMS Pro, an Android messaging app with over a hundred million installs on the Play Store, has a massive security flaw.
  • Researchers were able to view files sent as attachments via the app remotely as the app would upload these files online with auto-generated, publicly accessible URLs.
  • The Go SMS Pro developers have yet to fix the issue.

Go SMS Pro, a popular third-party SMS app with over 100 million installs going off its Google Play listing has just been found to ship with a critical flaw.

Security researchers at the firm TrustWave found that the app was exposing user data carelessly by uploading files shared on the app to a public URL. After trying and failing to contact the app developers, they contacted the folks over at TechCrunch with their findings.

TechCrunch explained:

When a Go SMS Pro user sends a photo, video or other file to someone who doesn't have the app installed, the app uploads the file to its servers, and lets the user share a web address by text message so the recipient can see the file without installing the app. But the researchers found that these web addresses were sequential. In fact, any time a file was shared — even between app users — a web address would be generated regardless. That meant anyone who knew about the predictable web address could have cycled through millions of different web addresses to users' files.

The researchers did note that while it wasn't possible to target any individual user go Go SMS Pro, someone could cast a huge fishnet and dredge up a lot of private data. TechCrunch were able to find "person's phone number, a screenshot of a bank transfer, an order confirmation including someone's home address, an arrest record," and several compromising photos. The app developers have gone AWOL in the meantime, so it's not likely that this would be fixed soon.

Some of Android's best features are its customizability and modularity. You're able to swap out parts of your phone's software with third-party versions created by other developers. It does require a lot of trust being handed over to developers — especially when it comes to data like SMS messages — and sometimes that trust isn't rewarded.

While the app does have over a hundred million downloads, it's not clear how many of those are recent. Most Android phones sold in 2020 ship with Google Messages as their default messaging app, and users prefer to use end-to-end encrypted apps like Telegram and WhatsApp anyway. If you do have this app installed, it goes without saying you should probably ditch it.

Signal Private Messenger App Icon

Signal Private Messenger

Signal is the preferred app of choice for people who really care about privacy. It doesn't have all the latest gifs and stories, but it's a competent messaging app that puts security first.

Michael Allison