- An app holding highly sensitive data has exposed the names and addresses of its users.
- The platform stored emergency user recordings on an unprotected server for an unknown period.
- The app users are now at great risk and should delete the disguised app immediately from their devices.
A domestic violence prevention application disguised under the name “Aspire News” has blundered hugely by leaking out 4,000 recordings of potential domestic violence victims. The records date as far back as in September 2017, and many of them contain names, addresses, phone numbers, and other pieces of sensitive information. Should these be made known to the wrong people, the app users would be in great trouble. The app was supposed to help its users stay safe from domestic violence, but it's now risking its aggravation.
Launched in 2013 by Robin McGraw and promoted on U.S. TV, the “Aspire News” app has had 300,000 downloads from people thus far. While it looks like a regular newsreader app, it offers a quick reporting system that alerts friends and family that the user is in imminent danger. Tapping the app's top bar three times sends a pre-recorded message to the determined recipients. As expected, these messages often include the user’s name, home address, or other personally identifiable details. Some recordings even include the abuser’s name for obvious reasons. Thus, having these recordings leaked by uploading them on an unprotected cloud server was the worst-case scenario.
The researchers downloaded the app and performed a test to see if the server is still the one supporting the main service database. They recorded a file and triggered the alert, receiving a text message with a web address that pointed to the particular cloud server. By using a link of this type, anyone could have fetched other recordings by shortening the full link.
The users of this app haven’t been directly informed of the security lapse, which could potentially put them at risk. Instead, the researchers who discovered the server, Noam Rotem and Ran Locar, notified “Aspire News” but haven’t received a response from them yet. They also contacted CBS and Dr. Phil - who is promoting the app's use - but didn’t hear back from them either. Informing the users of what happened as soon as possible would be absolutely critical at this point.
If you are using the “Aspire News” app, deleting it won’t mitigate the associated risks, as the recordings may have already fallen into the wrong hands. However, we would still suggest that you use a different domestic violence app, as the cover of this one has been blown. Moreover, “Aspire News” has insolently failed to protect your privacy, betraying the trust of its sensitive userbase.