Popular iOS tracker leaks 320,000 users' whereabouts

iOS app GPS tracker — Image by Cybernews

Watching over your kids with an iOS tracking app? Cybercriminals might be watching, too.

iOS GPS App with 320,000 users exposed their phone numbers and GPS location data making stalker’s dream come true
The leak was caused by a passwordless Firebase database
Attackers could get real-time access to the iPhone app users' live GPS locations
The GPS App also leaked other sensitive secrets that could facilitate further cyberattacks
Cybernews has contacted the iOS app developers multiple times but received no answer

People use tracking apps to keep tabs on their kids, partners, or that one friend who always gets lost on a night out. It’s all about safety – until it isn’t. Imagine if it’s not just you keeping track of your loved ones but cybercriminals, too?

Cybernews researchers have found that a GPS App, downloaded 320,000 times on Apple’s App Store, was leaking GPS locations to anyone who knew where to look.

The leak was caused by a Firebase security rule misconfiguration. Leaked GPS data was paired with usernames, device details, and phone numbers, so bad actors could easily piece together who you are and where you’ve been. That’s not just a privacy nightmare – it’s a stalker’s dream come true.

To make matters worse, secret keys buried in the app’s code could have been used to dig even deeper into user data. Cybernews has contacted the iOS app developers multiple times but received no answer.

How might cybercriminals know your location?

At the time of discovery, nearly 20,000 data points were stored on the unsecured Firebase database belonging to the GPS App. Such databases are often used as temporary ones. Once they hit a certain threshold, the oldest entries are supposed to be wiped.

However, this won’t stop hackers from gaining access to your data. An attacker could quietly gather a massive stash of sensitive data without breaking sweat by setting up a scraper, an automated program that relentlessly pulls fresh data from the exposed Firebase instance.

The most worrying aspect is that with this setup, attackers could get real-time access to the app users' live GPS locations. This is extremely dangerous, especially if the app is used to track minors, as someone might exploit the vulnerability to locate children.

“GPS data can be used to infer daily activities which could be used for social engineering attacks,” said Cybernews researcher Aras Nazarovas, who was the first to spot the leak.

“One of the most obvious dangers is potential stalkers getting access to such data, making it much easier to track and find targeted people,” he added.

What did the iOS GPS tracker leak?

The app code also exposed other sensitive information, commonly known as secrets. These exposed secrets are some of the top 10 most leaked secrets among iOS apps.

Cybersecurity experts warn that leaving API keys, credentials, and other sensitive information in the published app’s code – or, in other words, "hardcoding" them – is a dangerous practice that could open the door to attackers.

What secrets the app leaked:

API Key
Client ID
Database URL
Google App ID
Project ID
Reversed Client ID
Storage Bucket
GAD Application Identifier
Facebook App ID

If the app is leaking API keys, client IDs, and other app credentials it is just a matter of time before attackers exploit it. Take an API key – this piece of data is the gateway to Google’s services, and if it falls into the wrong hands, attackers can run up your bill with fraudulent requests or drain your service quotas.

But it gets worse. If the app is linked to sensitive user data, those same hackers could use the exposed keys to wreak havoc behind the scenes, disrupting services and exploiting any weaknesses in your app’s security framework.

Leaked secrets like Google App IDs or Project IDs are basically an open invitation for hackers to mess with the app’s analytics. Or worse, impersonate your app, triggering shady sign-ins to steal personal info.

When attackers get their hands on a reversed client ID, database URL, or storage bucket access, they can go full throttle, stealing data, dropping malicious files, or draining bandwidth.

Don’t miss our latest stories on Google News

The leak was uncovered during a large-scale investigation by Cybernews. The researchers downloaded 156,000 iOS apps, which is around 8% of all apps on the Apple Store, to discover that app developers are leaving plaintext credentials in the application code accessible to anyone.

The findings revealed staggering numbers: 71% of the analyzed apps leak at least one secret, with an average app's code exposing 5.2 secrets.

Recently other Cybernews research revealed that popular iOS dating apps leaked extremely dangerous secrets. They granted access to storage buckets with nearly 1.5 million user photos, including photos removed for rule violations and private photos sent through direct messages.