- Drupe is a popular dialer app that incorporates different apps under one roof, creating a kind of “master” contacts app.
- Last week, the app was removed from the Play Store when it was discovered that user data was available online to anyone who knew where to find it.
- Drupe is back on the Play Store now, and the vulnerability has been patched. But is that enough?
Last week, a security vulnerability in the popular dialer app Drupe was discovered that left the data of tens-of-thousands of users open to anyone who wanted to view it. When the vulnerability was exposed, the Drupe app was removed from the Google Play Store.
However, the app is now back on the Google Play Store for anyone who would like to download it. I just tested a download, install, and activation of the app on my OnePlus 5 running Android 8.1 Oreo, and everything went as expected.
The question is: how many people will actually keep the app after the exposure of this massive vulnerability?
Drupe’s security issues were first brought to light by security researcher Simone Margaritelli, who corresponded with Motherboard on the topic. Margaritelli discovered the vulnerabilities and started live-tweeting his findings; however, he did not disclose the name of the app he was investigating at the time.
Margaritelli found that some of the copious amounts of data Drupe collects from users was being stored on an insecure Amazon Web Services server. That means that anyone who knew where to look could view call histories, pictures, and even audio recordings of messages.
Motherboard verified Margaritelli’s information and found that it was indeed easy for anyone to gain access to the data on the server. Furthermore, the team discovered that, in theory, one could pretty easily extrapolate user IDs and thus access any one users’ entire Drupe history.
Anyone with an internet connection and the knowledge of where to look had access to Drupe’s user data.
While Margaritelli was live-tweeting this info, someone else pieced together which app the tweets were about. This user reported it to Google, which in turn removed Drupe from the Google Play Store sometime on Tuesday last week.
Drupe posted on its blog that it fixed the security vulnerability “within an hour” of discovery. It also clarified that only about 3 percent of Drupe users were affected by the vulnerability.
However, the whole situation raises a real concern about using Drupe: exactly how much information is the app collecting from its users, and does it really need that much?
Margaritelli believes that Drupe is actually a data harvester app. He said, “Regardless of whether the app is malicious or not, it has no logical reason to gather all this data and store it on its servers.” During his original live-tweet session, he posted this screenshot of all the permissions Drupe gets from its users:
?למה לא pic.twitter.com/cdIODiXoKP
— 🦄 (@evilsocket) May 5, 2018
Drupe, in response, said that “all of the permissions requested by Drupe to access user data are strictly needed to operate Drupe service features and are never used for any purpose other than for providing these features. No user data, under any circumstances, is being shared with third parties for their commercial uses nor is any user data commercialized in any way. Drupe’s business model is completely based on in-app purchases and advertisements.”
While that makes Drupe’s intentions seem pretty clear, one can’t help but wonder: what is the company going to do to assure users that this kind of vulnerability won’t happen again?
We reached out to Drupe to answer that very question, but it did not respond before press time. We will update this article should the company issue a statement on the matter.
A Google spokesperson told Motherboard that it is “in contact with [Drupe] about the app’s handling of user data.” Presumably, Drupe addressed all of Google’s concerns because the app is once again available for download. But will anyone download it?