iPhone spam blocker exposed thousands of users' data

An iPhone spam blocker meant to protect users from robocalls and malicious texts is leaking private data into the void.

With cheap and easy internet calling, telemarketers and scammers blast out billions of robocalls every month globally.

You might think that downloading a call and spam text blocker will make the noise stop. However, in some cases, the app meant to bounce unwanted or even illegal calls might become a tool for cybercriminals to get access to your data.

Researchers at Cybernews have just uncovered that Robo Spam Text & Call Blocker, an iOS app downloaded over 93,000 times, has been spilling sensitive user data thanks to a Firebase misconfiguration.

What data iPhone spam blocker leaked?

1,800 customer support tickets, packed with real names and emails
339,000 reported phone numbers and spam messages
38,000 blocked keywords

Paradoxically, the app meant to protect you from spam messages is actually serving as a tool for scammers.

Cybercriminals can weaponize leaked data to craft convincing phishing emails. Think fake security alerts from your bank, urgent messages from "tech support,” or even scams pretending to be from the call-blocking app itself.

With just your name and email, scammers can also attempt credential stuffing attacks, where they try your email across various services, hoping you’ve reused passwords.

Moreover, exposing blocked keywords and phone numbers tips off hackers about how the app filters junk. Instead of shooting blindly, with leaked data in hand, they might craft sophisticated phishing campaigns that slip past the filters.

The app was developed by Brantley Media Group, a Texas-based company specializing in online marketing, mobile, and web development. Cybernews has contacted the company multiple times, but has not received an answer.

It is not the first iPhone app developed by the company to spill user data. Cybernews has previously reported that another company’s app, Novel AI: Book Creator, was leaking intimate stories created by users.

Don’t miss our latest stories on Google News

Secrets up for grabs

The app code also exposed other sensitive information, commonly known as secrets. These exposed secrets are some of the top 10 most leaked secrets among iOS apps.

Cybersecurity experts warn that leaving API keys, credentials, and other sensitive information in the published app’s code – or, in other words, "hardcoding" them, – is a dangerous practice that could open the door to attackers.

List of secrets leaked by the iPhone spam blocker:

API Key
Client ID
Database URL
Google App ID
Project ID
Reversed Client ID
Storage Bucket
Live Branch.io Key
Facebook App ID

The leak was uncovered during a large-scale investigation by Cybernews. Researchers downloaded 156,000 iOS apps, which is around 8% of all apps on the Apple Store, to discover that app developers are leaving plaintext credentials in the application code accessible to anyone.

The findings revealed staggering numbers: 71% of the analyzed apps leak at least one secret, with an average app's code exposing 5.2 secrets.

A previous Cybernews research revealed that popular iOS dating apps leaked extremely dangerous secrets. They granted access to storage buckets with nearly 1.5 million user photos, including photos removed for rule violations and private photos sent through direct messages.

In another staggering incident, an iPhone app meant to track the location of family members was leaking GPS coordinates to anyone on the internet who knew where to look.