Researchers from the Fraunhofer Institute for Secure Information Technology have examined popular tracker apps from the Google Play Store. The result: not a single one of them was securely programmed, all of them had some serious vulnerabilities. Attackers can exploit these to create movement profiles, read chats and text messages and view images.

Particularly explosive: attackers do not have to monitor each smartphone individually, but can simultaneously attack millions of users who have these apps installed on their smartphone. The scientists presented their findings for the first time on August 11 at the DEF CON Hacking Conference in Las Vegas.

Smartphone users can be monitored using so-called monitoring or tracker apps. For example, parents use such an app to know where their children are at all times or what messages and pictures they send. The use of these apps is legal as long as the person being spied on agrees. Athletes like to use tracking apps to take part in virtual competitions or share their data with friends.

Stored in plain text

Scientists at Fraunhofer SIT have examined 19 legal apps offered in the Google Play Store. According to Google, the apps have been installed several million times. The scientists examined how the highly sensitive user data that these apps collect is protected. The result: all apps have serious vulnerabilities, not a single application was securely programmed. The researchers found a total of 37 security vulnerabilities.

The highly sensitive data is usually stored in plain text on a server without being protected by proper encryption.

"All we had to do was call up a specific website and enter a user name in the URL or make a guess to call up a person's movement profile," explains Fraunhofer project manager Siegfried Rasthofer, who investigated the apps together with the Fraunhofer hacking group TeamSIK. The researchers not only found individual data on the servers, but were also able to read out complete movement profiles of all users of these apps, which were stored unsecured on a server. "This makes it possible to track thousands of people in real time," says Rasthofer. Attackers can use the insecurely programmed apps not only to retrieve metadata such as locations, but also to read and view content such as text messages and images of the monitored app users. "This makes complete surveillance possible," explains Stephan Huber, member of TeamSIK and researcher at Fraunhofer SIT.

The scientists also succeeded in reading the login information of the app users. These were also stored unencrypted in most apps or only secured with completely inadequate encryption - the team led by Siegfried Rasthofer and Stephan Huber found 1,700,000 login details in one app, for example. The Fraunhofer scientists have informed the app providers and the Google Play Store of their discoveries. 12 of the 19 apps investigated have since been removed from the Play Store. Other providers, however, have not reacted at all.