vpnMentor’s research team, led by analysts Noam Rotem and Ran Locar, recently discovered a sensitive data breach originating from the domestic violence prevention app Aspire News App.
Built by the US non-profit When Georgia Smiled, Aspire News App can be installed on a user’s phone to appear as a news app. However, it also features an emergency help section with resources for domestic abuse victims, including a function for them to send emergency distress messages to a trusted contact person. These distress messages can be sent via voice recording, with a victim’s details, home address, the nature of their emergency, and their current location. The developers of the Aspire News App had stored over 4,000 voice recordings (more than 230MB) on a misconfigured Amazon Web Services (AWS) S3 bucket, allowing any files to be viewed and downloaded, similar to a cloud storage folder, say the researchers.
According to the report, although it’s now secured, this data breach represents a significant lapse in basic data security by Aspire News App and When Georgia Smiled.
In the voice recordings the researchers sampled, victims revealed highly sensitive Personally Identifiable Information (PII) data about themselves and their partners, family members, or abusers. These included:
- Victims’ full names and home addresses
- Details of their emergencies and/or personal circumstances
- Abusers’ names and personal details
In total, the team found over 4,000 voice recordings in Aspire News App’s misconfigured S3 bucket. The samples the researchers listened to appeared to be pre-recorded, most likely when a victim had only a few minutes alone and needed to record and save a distress message quickly. "They could then instantly send the saved message to an emergency contact any time they felt in danger, by pressing a button on the app. This highlights the extreme conditions under which domestic abuse victims live, and the real physical danger if they’re caught seeking help from outside the home. Furthermore, after months of government-mandated lockdowns across the USA, domestic abuse charities, police departments, and government agencies have recorded huge increases in domestic violence cases being reported. With many victims forced to stay in close quarters with the abusers for unusually long periods, and unable to access support, an app like Aspire News App is a crucial lifeline. This is evidenced by the high numver of messages being uploaded on a daily basis throughout June alone," says the report. "However, by not securing these voice recordings, the developers potentially inadvertently put victims in even more danger."
For more information and detailed findings, please visit https://www.vpnmentor.com/blog/report-aspire-news-app-breach/