iOS Tracking App Leak Exposes Users to Cybercriminals
Using a GPS tracking app to monitor loved ones? You might not be the only one watching. Cybernews researchers have uncovered a major security flaw in a popular iOS GPS tracking app, downloaded over 320,000 times from Apple’s App Store. The vulnerability exposed users’ real-time locations, allowing cybercriminals to track individuals without their knowledge.
How the Data Leak Happened
The breach was caused by a misconfigured Firebase security rule, which left GPS data publicly accessible. This exposed not only live location data but also usernames, phone numbers, and device details—giving attackers the ability to piece together a person’s identity and movements.
Even more concerning, the app’s code contained hidden secret keys that could grant deeper access to user data. Despite multiple attempts by Cybernews to contact the app’s developers, no response was received.
How Hackers Could Exploit This Flaw
At the time of discovery, nearly 20,000 location records were stored in the app’s unsecured Firebase database. These types of databases are often used temporarily, with older entries automatically deleted over time. However, cybercriminals could easily collect and store this data using automated scrapers, silently amassing a wealth of sensitive user information.
Worse still, attackers could track users in real-time—an especially alarming risk for children using the app. Cybernews researcher Aras Nazarovas highlighted that GPS data could be used to infer daily routines, which could then be leveraged for social engineering attacks or, in the worst cases, stalking.
What Other Sensitive Data Was Exposed?
Beyond location tracking, the app leaked several critical security credentials, including:
- API keys
- Client IDs
- Database URLs
- Google App IDs
- Project IDs
- Storage bucket access
- Facebook App ID
These credentials are highly valuable to hackers. For example, stolen API keys could allow attackers to manipulate the app’s backend services, rack up unauthorized charges, or even impersonate the app itself. Exposure of storage bucket access could enable criminals to steal, modify, or inject malicious files into the app.
A Widespread Problem in iOS Apps
The investigation was part of a large-scale study analyzing 156,000 iOS apps—approximately 8% of all apps on the Apple Store. Alarmingly, 71% of the apps analyzed contained at least one exposed secret, with the average app revealing 5.2 sensitive credentials.
Previous research also uncovered that popular iOS dating apps had similar vulnerabilities, exposing nearly 1.5 million private user photos, including deleted and rule-violating content.
The Bottom Line
This breach underscores the dangers of poor security practices in mobile apps. Hardcoded credentials and misconfigured databases can leave users vulnerable to tracking, fraud, and identity theft. If you use GPS tracking apps, ensure they come from reputable developers and have strong privacy safeguards in place.
