Personal tracking apps can useful in the right situations; such as remembering visited locations or keeping tabs on loved ones. But this usefulness is dependent on the app keeping users’ data safe and secure. Unfortunately for users of Family Locator, a tracking app for iOS aimed at families, it did neither, leaving a large amount of personal data, including real-time locations, exposed for anyone to find.
Family Locator’s glaring security flaws were discovered by security researcher Sanyam Jain and first reported to TechCrunch. The app comes from the Australia-based developer React Apps, and among the features are real-time location tracking for family members, along with geofence-based notifications for when someone enters or leaves a specific location.
Jain found that the app’s servers weren’t password protected, and that the backend database was similarly unprotected. Even worse, this database, which included a large amount of personal data on each user, was completely unencrypted. These details include users’ names, email addresses, plaintext passwords, and specific real-time locations for family members, as well as any geofence coordinates that were set up.
This collection of data on the app’s more than 238,000 users has been exposed for at least several weeks, where anyone could find it. TechCrunch went so far as to create and enter a dummy account, only for it to turn up in the database with their location within seconds, as well as contacting one random user to confirm their personal details were accurate.
React Apps has yet to acknowledge the exposed data, and they’re unable to be contacted through their website or Australian business records. Fortunately for users who have yet to learn about this situation, Microsoft pulled the database, which was being hosted on Azure cloud, after being contacted by TechCrunch.