2 min read

Drupe app removed from Google Play store after photos and messages leaked publicly


May 09, 2018

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Drupe app removed from Google Play store after photos and messages leaked publicly

Repeat after me.

If you’re still arguing about which is the better smartphone operating system for security – iOS or Android – you’re having the wrong debate.

The big data security issue with smartphones is not so much with what operating system you are running (although obviously it’s imperative to keep that up-to-date with patches) but instead with the third-party apps that you choose to install.

That threat is brought home loud and clear by the discovery that a popular Android app called Drupe, downloaded over 10 million times, has been leaving users’ selfie snapshots, audio messages, and other sensitive data exposed for anybody to see.

The Drupe communications app was supposed to make it more intuitive for Android users to contact each other with easy options to quickly call, SMS, email your buddies or start a Google Hangouts or Skype conversation.

However, as Motherboard reports, Drupe’s developers made a colossal blunder.

Because some of the data that Drupe was collecting from its users was being uploaded to unprotected Amazon AWS buckets, making the information accessible to anybody on the internet… no password required.

Security researcher Simone Margaritelli discovered the problem this weekend, and estimated that billions of pictures and audio messages from Drupe were lying around online for anyone to access if they knew where to look.

Fortunately Margaritelli acted responsibly, and after being informed of the problem Drupe configured the Amazon AWS buckets so they were no longer publicly accessible.

In a blog post Drupe played down the threat, claiming that only a small proportion of Drupe users – including those who had used the “Walkie Talkie” feature – had had their data exposed.

Separately the company refuted Margaritelli’s claims that billions of records might have been put at risk.

Whether there were billions of records exposed or not is missing the point in my opinion. What happened was clearly reckless behaviour on the part of app developers who simply had not prioritised the security and privacy of user data.

It’s not as though there haven’t been endless headlines of Amazon storage buckets leaking very sensitive information through sheer sloppiness on the part of companies.

And concerns just rise further when you see that Drupe requests such a wide and unnecessary range of access permissions when Android users install their app.

At the time of writing Drupe is not available in the Google Play store. Google is reportedly in contact with Drupe to discuss “the app’s handling of user data.”

The app is also available from the Apple iOS store, although it is unclear whether it suffers from the same or similar security concerns.

Always remember that when you give an app access to your data, you are putting your trust in the hands of third party developers. Do they have your best interest at heart? Do they even know how to keep your data secure and private?

It’s hard to write a good smartphone app. It’s even harder to create an app that properly looks after users’ data and leaves them secure.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like