Not long ago, TechCrunch published an article about a call-recording app vulnerability on iPhones. The app, called “Call Recorder” or “Acr call recorder” in the Apple App Store, utilized an insecure web API to retrieve call recordings from AWS S3 cloud storage. While it may not appear as glamorous as a high-profile breach, this vulnerability provides valuable lessons and exhibits similarities to other notable incidents and breaches. Most of the issues align with the OWASP API Security Top 10, a comprehensive list of common API mistakes.
Luckily, the security researcher, Pingsafe AI, and TechCrunch responsibly disclosed these weaknesses to the app creator before publicizing their findings. It remains uncertain whether any malicious parties exploited the vulnerabilities and gained unauthorized access to the recordings before the disclosure. As of now, the app developer and publisher have not released any public statements. There is a persistent feeling that security options for call recordings are not always implemented even by developers. Even if this is so, there are complete gaps in call recording privacy and security on the users’ side.
Table of Contents
Call Recorder Security Issues
Testers initiated his research by reverse engineering the IPA package, which is an iOS mobile binary. There are various techniques and tooling available on the Internet for this purpose. One such source is maintained by OWASP on the page “iOS Tampering and Reverse Engineering.” It is important to note that a mobile binary is not a “black box,” and the assumption of default protection for mobile code should not be made. Attackers can easily reverse-engineer mobile code to understand the internal business logic of an application, extract API keys, and steal intellectual property. Similarly, security researchers utilize reverse engineering and debugging techniques to proactively identify issues.
Both attackers and researchers frequently employ intercepting proxy tools like Charles Web Debugging Proxy, Telerik Fiddler, OWASP Zed Attack Proxy, and Portswigger Burp Suite. These tools are highly valuable for exposing and manipulating application communications. It is worth mentioning that, like many things in life, these tools can be used for either good or evil purposes. The tool itself is not the problem; however, individuals with malicious intent could potentially exploit it.
The identified issues in the Call Recorder application include broken authentication, broken object-level authorization (BOLA), lack of encrypted transport, excessive data exposure, lack of pseudonymous identifiers, and unsecured cloud storage.
What Should You Expect from a Reliable Call Recording App?
The ideal iPhone call recorder app should not store valuable information and be resistant to reverse engineering. Another key requirement is the implementation of advanced authentication in the iPhone phone recorder. In addition to security measures, the functionality of a call recorder is also important: recording quality, ease of file management, and additional settings. One of the best apps tested is iCall, you can download it here and use it for 3 days for free. Even the free trial version is enough to record calls safely and effectively. Suitable for both business and ordinary users. We’ll talk more about all the key points below in this section.
Features
Here are the points you should focus on first:
- Register quickly. Lengthy registration processes in some mobile applications can be frustrating and time-consuming. The same issue can arise with call recording apps. Choose a call recording app that offers easy and fast registration steps.
- Utilize cloud storage. Long audio recordings can consume device memory and lead to data loss if the device is lost or stolen. An app with cloud storage functionality syncs call recordings effortlessly. But this is a compromise with security.
- Avoid annoying advertisements. Advertisements can be bothersome when using a call recording app, particularly if they appear during a conversation. Look for an app that offers an ad-free experience to enhance your recording process.
- Ability to edit and organize entries. After recording, you may need to sort or edit entries. Apps with features for editing and organizing recordings are highly beneficial, ensuring convenience and ease of use.
Privacy
A simple rule applies here: the less information the application collects, the better. You should also avoid storing data on the servers that the application offers. At least if you don’t trust him 100%. The priority is to store records locally on the device or personal, commercial servers. I don’t want to see a situation like the one described above, where thousands of conversations could be stolen.
Performance
The application should run smoothly, without delays or crashes. Here are a few more requirements.
- High-quality call recording. The main concern while recording conversations is sound quality. Choose a professional call recording app to ensure high-quality recordings.
- Unlimited recording duration. Free call recording methods usually have limitations on recording duration, and even some paid apps impose such restrictions. Opt for an app that allows seamless and uninterrupted recording without any time constraints.
Conclusion
There is a wide range of iPhone call-recording apps available, but they all have advantages and disadvantages. You can objectively evaluate their strengths and weaknesses based on the parameters in this article. The issue of security is more difficult to study, but it also needs to be taken into account.