In what could be termed as a massive security breach, three Android apps offered by developer DMobileAndroid were found to be inadvertently sharing thousands of private photos and documents online. The apps offered by the developer are XGimp, MaxiPDF and Docswork, each of which has been downloaded anywhere between 100,000 and 500,000 times.
First spotted by Reddit user on Thursday, the DMobileAndroid apps offer a built-in cloud backup solution, which is insecure and the stored files can be viewed by anyone via their own XGimp or MaxiPDF apps.
“The developer DMobileAndroid has a cloud backup system in all of their apps that is incredibly insecure. You can access hundreds of thousands of people’s private information through the XGimp app. It is literally a VNC connection to a Linux server running Gimp, and everyone’s files are stored on the same server and anyone can access them,” the Redditor explained.
“I have seen hundreds of thousands of people’s private files, even seeing new ones get uploaded in real time. Social security cards, tax returns, identification cards, resumes, school projects, birth certificates, and much more. On top of that, I also have access to everyone’s photos that they opened with the XGimp app. Family photos, pictures of insurance cards and ID, nude selfies, screenshots, and everything else,” added Redditor.
Another Reddit user was able to remove all existing uploads and take down the app server to stop any further leakage of files, but the actual apps are still live on the Play Store.
These may not be malicious apps, but having such poor security and an overall pathetic implementation in such popular apps is criminal.
Editor’s Note: For future reference, you should stay away from uploading your data on apps from non-trusted developers and companies.