Family Locater tracking app held customer data - including child location - on server with no password
An iPhone application, Family Locater, designed for parents to keep an eye on the location of their children left sensitive user data on a server with no password.
The data, which could be accessed by anyone who knew where to look, included the name, email address, profile photo, and real-time location of more than 238,000 users. The server also included the locations and names of geofenced areas set up by users, along with their passwords, which were stored as plain text instead of being securely encrypted.
Read More:
- 12 Internet of Things hacks, and why you must lock down your smart home in 2019
- Best firewall routers with antivirus to protect your smart home
- Pick a stronger password, Nest warns after security camera breaches
Sanyam Jain, a security researcher and a member of the GDI Foundations, discovered the insecure server and reported it to TechCrunch, which was able to demonstrate the security problems for itself. The freely-accessible data was then used to correctly locate users of Family Locator at random.
Any user who had a geofence set up also had the location of these stored in the unencrypted, password-free database. The names of the geofences locations — like 'home', 'work' and 'school' were also visible, meaning anyone with access to the server could see when users left home, or arrived at school.
The developer, Australia-based React Apps, states on the iOS App Store: "We take privacy very seriously" and claims to "use secured servers throughout."
Two days on from the insecure server being brought to light, React Apps is yet to reply to requests for comment, including one made by GearBrain. The developer offers no means of contact on its website, other than a feedback submission form which it sends the automated response of: "Thanks for the message, we'll get back to you as soon as possible!"
React Apps also appears to have no social media presence, and the WhoIs website domain directory hides the email address of the website's owner. TechCrunch reports that, having paid for React App's business records from the Australian Securities & Investments Commission, the company owner was revealed as Sandip Mann Singh, but no contact information was provided.
Family Locator, which needs to be installed on the phone of the person you want to track, has an iOS App Store rating of 3.5 out of five stars. A recent review, left in January 2019, said it was "totally useless" and got a person's location wrong by two streets. Other reviews praised the app's accuracy and speed, citing it is useful for keeping an eye on the location of teenage children.
After continued radio silence from React Apps and Singh, Microsoft, which hosted the unprotected database on its Azure cloud, was asked to contact the developer. After this, the database was silently taken offline.
