While our smartphones have definitely become more capable and smarter, the phone functionality itself has remained locked in the 20th century. There have been many attempts to make the phone app itself even smarter. Google’s dialer app is one. Third-party TrueCaller, which is making its way to the likes of Cyanogen OS and BLU Products devices, is another. Yet for all the convenience that the service might bring, one single design flaw potentially exposed the private details of 100 million Android users who have downloaded the app in good faith.
TrueCaller is practically a modern, glorified caller ID feature. These days it’s no longer enough to simply see the number that’s calling you, you need to be able to quickly identify whether it’s something you’d like to take or reject. TrueCaller identifies incoming calls and matches it with known numbers as well as those marked by users. It can quickly inform you if it’s spam you’d rather ignore. And in case there was an error or a new number came up, you can also mark those numbers appropriately to help grow and improve the identification.
Cheetah Mobile Security, however, came across a rather disturbing issue. TrueCaller apparently used a smartphone’s IMEI as the unique identification for the user as well, practically reusing that same string of numbers as the user’s password, so to speak. That means that anyone who has gotten a hold of that IMEI number, whether by theft or through some other means, can go to TrueCaller’s website and glean private personal details and change the user’s account settings, no questions asked. Those details include name, gender, e-mail address, home address, and other bits of information that TrueCaller accounts hold. Hackers can also modify account settings, for example, disable spam blocks to let those spam calls in again.
To its credit, TrueCaller was quick on its feet and patched up that vulnerability. Users who have the app installed are strongly urged to update when its available. The good news is that no actual exploit has happened using this vulnerability, at least to TrueCaller’s and Cheetah Mobile’s knowledge.