The app G-cloud backup from provider Genie9 for iPhones has a security flaw that could allow unauthorized people to gain access to uploaded data. The app allows you to save backup copies of photos, videos, address book and calendar entries to the provider’s cloud storage. The Android version of the app is not affected.
Data is transmitted without encryption
When checking the data sending behavior, we found that the iPhone app transmits data to the provider’s servers without transport encryption (TLS). If this happens on a public network, for example a hotel’s WiFi, other technically savvy users will be able to read the uploaded data, such as plain text contacts, or access photos and videos.
Data is uploaded without explicit consent
Our testers also found that the app also transfers certain data without the user having explicitly selected it in the app: as soon as you allow the iOS app to access your photo library, contacts, or calendar, it will start loading – even if you haven’t selected these data types for an in-app backup. We advise not using this application until the provider has corrected the security deficiencies.
Provider, BSI and Apple informed
We found the vulnerability as part of our testing of backup software for desktop computers and smartphones, which will soon appear on test.de and in our magazine test. Immediately after the discovery in May, we informed the application vendor Genie9 Ltd. about the security vulnerability found. After the provider failed to respond to our report within the deadline, we informed the Apple app store operator. The company also did not respond specifically to our comment. The app is still available on the App Store, there has been no update (as of June 17, 2024). We also informed the Federal Office for Information Security (BSI) about the discovery.