Industry News

Drupe app removed from Google Play store after photos and messages leaked publicly

Repeat after me.

If you’re still arguing about which is the better smartphone operating system for security – iOS or Android – you’re having the wrong debate.

The big data security issue with smartphones is not so much with what operating system you are running (although obviously it’s imperative to keep that up-to-date with patches) but instead with the third-party apps that you choose to install.

That threat is brought home loud and clear by the discovery that a popular Android app called Drupe, downloaded over 10 million times, has been leaving users’ selfie snapshots, audio messages, and other sensitive data exposed for anybody to see.

The Drupe communications app was supposed to make it more intuitive for Android users to contact each other with easy options to quickly call, SMS, email your buddies or start a Google Hangouts or Skype conversation.

However, as Motherboard reports, Drupe’s developers made a colossal blunder.

Because some of the data that Drupe was collecting from its users was being uploaded to unprotected Amazon AWS buckets, making the information accessible to anybody on the internet… no password required.

Security researcher Simone Margaritelli discovered the problem this weekend, and estimated that billions of pictures and audio messages from Drupe were lying around online for anyone to access if they knew where to look.

Fortunately Margaritelli acted responsibly, and after being informed of the problem Drupe configured the Amazon AWS buckets so they were no longer publicly accessible.

In a blog post Drupe played down the threat, claiming that only a small proportion of Drupe users – including those who had used the “Walkie Talkie” feature – had had their data exposed.

Separately the company refuted Margaritelli’s claims that billions of records might have been put at risk.

Whether there were billions of records exposed or not is missing the point in my opinion. What happened was clearly reckless behaviour on the part of app developers who simply had not prioritised the security and privacy of user data.

It’s not as though there haven’t been endless headlines of Amazon storage buckets leaking very sensitive information through sheer sloppiness on the part of companies.

And concerns just rise further when you see that Drupe requests such a wide and unnecessary range of access permissions when Android users install their app.

At the time of writing Drupe is not available in the Google Play store. Google is reportedly in contact with Drupe to discuss “the app’s handling of user data.”

The app is also available from the Apple iOS store, although it is unclear whether it suffers from the same or similar security concerns.

Always remember that when you give an app access to your data, you are putting your trust in the hands of third party developers. Do they have your best interest at heart? Do they even know how to keep your data secure and private?

It’s hard to write a good smartphone app. It’s even harder to create an app that properly looks after users’ data and leaves them secure.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment
  • Additionally, Drupe's Privacy Policy explicetly allows the company to share user data with "third parties" without informing the user. Worth noting that Drupe is based in Israel. I flagged this problem up approx. a month ago in my Play Store review but it was deleted shortly afterwards.