Millions at risk: iOS app meant for privacy exposes private texts and more

[ccgr]

The Cybernews research team has uncovered a severe data leak affecting a popular iOS app, Second Phone Number, which has been downloaded nearly 4 million times – over 3 million in the US alone. Marketed as a solution for “private calls and texts,” the app has instead exposed exactly what it promises to protect.

In our latest investigation, we found that a misconfigured Firebase instance has been leaking user messages, media as well as sender and recipient details.

This leak opens the door to identity theft, blackmail, and fraud. Some users employed the app for business or dating. Others sought anonymity for deeply personal reasons. In either case, their data is now vulnerable to cybercriminals who can scrape Firebase in real-time for new data.

Here’s why this story matters:

It’s a systemic problem. This discovery is part of the large-scale research of 156,000 iOS apps. We found that 71% leak at least one sensitive secret.

Users trust the App Store. Apple’s ecosystem is perceived as safe. This story challenges that perception.

The implications are serious. Leaked messages could be used to impersonate, harass, or blackmail users. Developers could lose access to paid services due to leaked API keys.

Despite multiple outreach attempts, the app’s creators have not secured the database. This is an ongoing and active leak – users are still at risk.

The lead researcher Aras Nazarovas is available for interviews and can provide exclusive details on the technical aspects and real-world implications of these discoveries.