Backup App Vulnerability: Warning for G Cloud Backup on iOS

Photo of author
Written By Kampretz Bianca

Lorem ipsum dolor sit amet consectetur pulvinar ligula augue quis venenatis. 

The app G-cloud backup from provider Genie9 for iPhones has a security flaw that could allow unauthorized people to gain access to uploaded data. The app allows you to save backup copies of photos, videos, address book and calendar entries to the provider’s cloud storage. The Android version of the app is not affected.

Data is transmitted without encryption

When checking the data sending behavior, we found that the iPhone app transmits data to the provider’s servers without transport encryption (TLS). If this happens on a public network, for example a hotel’s WiFi, other technically savvy users will be able to read the uploaded data, such as plain text contacts, or access photos and videos.

Data is uploaded without explicit consent

Our testers also found that the app also transfers certain data without the user having explicitly selected it in the app: as soon as you allow the iOS app to access your photo library, contacts, or calendar, it will start loading – even if you haven’t selected these data types for an in-app backup. We advise not using this application until the provider has corrected the security deficiencies.

Erroneous. The background selection screen suggests that you can select data to backup individually. In fact, the application starts uploading files as soon as the user grants access.
© Stiftung Warentest/Ralph Kaiser

Provider, BSI and Apple informed

We found the vulnerability as part of our testing of backup software for desktop computers and smartphones, which will soon appear on test.de and in our magazine test. Immediately after the discovery in May, we informed the application vendor Genie9 Ltd. about the security vulnerability found. After the provider failed to respond to our report within the deadline, we informed the Apple app store operator. The company also did not respond specifically to our comment. The app is still available on the App Store, there has been no update (as of June 17, 2024). We also informed the Federal Office for Information Security (BSI) about the discovery.

Source link

Leave a Comment

d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c d0c