Android voice chat app leaked private user conversations


A popular app for voice chats, OyeTalk, stored unencrypted user chats on a database unguarded by a password.

The popularity of voice chats has been growing in recent years in line with the increased need for online communication. Voice chatting has become an essential tool to facilitate digital communication for education, learning, socializing, gaming, and work purposes.

There are numerous apps in the market with voice-chat functionalities, including well-known apps such as Discord, Zoom, Skype, Google Meet, Microsoft Teams, and WhatsApp.

The research by Cybernews has discovered that OyeTalk – a voice-chat app with five million downloads on Google Play Store and a 4.1 out of 5 star rating from 21,000 reviews – had left its database open to the public, exposing users’ private data and conversations.The OyeTalk platform allows users to interact in discussion rooms on various topics and host podcasts. On the website, the app is advertised “as one of the fastest-growing audio talent-hosting applications”, available to download in more than 100 countries.

Screenshot from www.oyetalk.tv
Screenshot from www.oyetalk.tv

Why this matters

Researchers discovered that OyeTalk was leaking data through unprotected access to Firebase, Google's mobile application development platform that provides cloud-hosted database services.

If the data leaked had not been backed up and a malicious actor had chosen to delete the dataset, it is possible that the user's private messages would have been permanently lost without the possibility of recovery.

The open Firebase instance exposed more than 500MB of data comprising unencrypted user chats, usernames, and cellphone International Mobile Equipment Identity (IMEI) numbers.

IMEI number is a unique identifier assigned to all factory-built mobile phones, tablets, and other devices with cellular connection capabilities, such as smartwatches. Using IMEI, law enforcement and threat actors can identify a device and the legal owner of the device. Spilling IMEI numbers on every message sent is a vast privacy intrusion, as the message is permanently associated with a specific device and its owner at the time. Threat actors could exploit it to impose ransom.

Along with an open Firebase instance, the developers left some sensitive information, commonly known as secrets, hardcoded in the application's client side, including Google API (application programming interface) key and links to Google storage buckets.

Hardcoding sensitive data into the client side of an Android app is unsafe, as in most cases it can be easily accessed through reverse engineering. In the past, this sloppy security practice has been successfully exploited by threat actors in other apps, resulting in data loss or complete takeover of user data stored on open Firebases or other storage systems.

The app developers were informed of the data spill but failed to close public access to the database. However, since the spill got too big, Google’s security measures managed to close off the instance, notifying that the dataset was too large to download in one go.

Not a one-off

The recent data leak is not the first to affect the OyeTalk app. A Cybernews investigation shows the database was previously discovered and marked as vulnerable to data leaks by unknown actors, presumably without malicious intent. The database contained specific fingerprints used to mark open Firebases, known as “Proof of Compromise (PoC)”.

PoC shows that a researcher or threat actor has programmatically accessed an open firebase and marked it as vulnerable. Such intrusions demonstrate that the database lacks proper authentication for viewing data, and proper authorization for inserting or editing existing data. For example, suppose the database were accessible to anyone and contained sensitive data, such as an administrator's email login: in that case, a malicious actor could change the email address to their own and then use the "forgot password" feature to gain access to the admin account within the app.

Leaky Android apps

OyeTalk is one of thousands of apps on the Google Play store vulnerable to data leaks.

Earlier this year, Cybernews analyzed over 33,000 Android apps and found that the most sensitive types of hardcoded secrets left exposed were application programming interface (API) keys used to authorize projects, links to open Firebase datasets, and Google storage buckets.

top 10 app categories by found secrets
Results of the Android apps research. Image by Cybernews

Results showed that over 14,000 apps had Firebase URLs on their front end. Out of these, more than 600 were links to open instances. This means that by examining the public information on an app and applying reverse engineering, a malicious actor could gain access to a database and, potentially, user data.

The five categories of apps that contained the most hardcoded secrets were health and fitness, education, tools, lifestyle, and business.