Gå til innhold

Lov&Data

2/2025: Artikler
20/06/2025

When Wellness and Security Apps Betray Your Trust

By Aras Nazarovas

Illustrasjon: Colourbox.com

Apps designed to protect our peace of mind are increasingly becoming sources of anxiety. Take 7 Minute Chi– Meditate & Move, a meditation app marketed to reduce stress, and Robo Spam Text & Call Blocker, an iOS tool meant to shield users from robocalls and phishing. Both promised safety – one for mental well-being, the other for digital security. Instead, they exposed sensitive user data through security failures, revealing a worrying truth: the apps we trust to guard our privacy are often the weakest links in our digital lives.

The apps we trust to guard our privacy are often the weakest links in our digital lives.

The Irony of Leaky Safe Spaces

The 7 Minute Chi breach laid bare the personal details of over 100,000 users-names, emails, and app secrets like API keys and Facebook credentials - due to a misconfigured Firebase database. This is a betrayal. Users sought calm and focus, only to have their data potentially weaponized for phishing or identity theft.

Also, Robo Spam Text & Call Blocker, downloaded 93,000 times, leaked 339,000 reported spam numbers, customer support tickets with real names and emails, and critical app secrets. Criminals now know which numbers users block and which keywords to avoid, and this enables them to craft scams that slip past filters.

These leaks aren’t accidents but symptoms of systemic negligence. Firebase misconfigurations, which leave databases publicly accessible, and hardcoded secrets embedded in app code are shockingly common. Our research shows 71% of 156,080 sampled iOS apps leak at least one secret, with an average of 5.2 per app. When developers cut corners, apps designed to protect become tools for exploitation.

The Human Cost of Broken Promises

For users, the fallout is deeply personal. Just imagine receiving a phishing email that references your meditation habits, perhaps even mentioning the specific app you use or the routines you follow – details you thought were private.

Or picture answering a spam call that not only gets past your trusted blocker, but uses language and tactics tailored to your reported preferences and blocked keywords, making the scam far more convincing.

In both cases, the sense of violation is profound: information you shared in the pursuit of calm or safety is now being used to target and manipulate you, turning trusted digital spaces into sources of new anxiety.

A Failure of Accountability

Neither Apple’s App Store reviews nor developer due diligence prevented these breaches. 7 Minute Chi’s Firebase instance sat exposed for weeks, while Robo Spam Text & Call Blocker’s parent company, Brantley Media Group, has a history of leaks, including an AI app that exposed users’ intimate stories. Yet, Apple’s ecosystem, often perceived as a “walled garden,” lacks mechanisms to scan for hardcoded secrets or enforce secure cloud configurations.

What’s Next?

To restore trust, the industry must prioritize:

  • Expand app store reviews to include backend security checks: Apple and other platform owners should incorporate automated scans for misconfigured databases, hardcoded credentials, and other backend vulnerabilities before approving apps.

  • Developers must follow secure coding standards, conduct regular code reviews, and leverage automated security testing tools to catch vulnerabilities early.

  • Provide real-time privacy visualizations and alerts: empower users with dashboards or notifications that reveal how their data is used, and immediately alert them to potential leaks or suspicious activity.

  • Offer post-breach support and transparency, and quickly notify users in the event of a breach, provide guidance on protective actions, as well as offer services such as personal data scans to help users recover.

  • Regularly update and patch apps

As the lead researcher on these investigations, I urge users to demand better. Change passwords exposed in breaches, limit data shared with apps, vet apps before installing them, as much as you can, and pressure platforms to enforce stricter standards. Until then, the very tools marketed to protect us will continue to leave us exposed.

Aras Nazarovas is an Information Security Researcher at Cybernews, a research-based technology publication. He focuses on cybersecurity and threat analysis, with expertise in identifying vulnerabilities in online services, malicious campaigns, and hardware. Aras led Cybernews’ investigation into hardcoded secrets in iOS applications, revealing security risks across thousands of mobile apps. He has also contributed to uncovering significant data protection and privacy issues affecting major organizations, including NASA, Google Play, and PayPal. The Cybernews research team conducts more than 7,000 investigations annually, publishing over 600 studies to support public understanding of cybersecurity threats and promote safer digital practices.

Cybernews research:

  1. Cybernews researchers analyzed 156,080 randomly selected iOS apps – around 8% of the apps present on the App Store – and uncovered a massive oversight: 71% of them expose sensitive data.

  2. Recently, Bob Dyachenko, a cybersecurity researcher and owner of SecurityDiscovery.com, and the Cybernews security research team discovered an unprotected Elasticsearch index, which contained a wide range of sensitive personal details related to the entire population of Georgia.

  3. The team analyzed the new Pixel 9 Pro XL smartphone’s web traffic, and found that Google’s latest flagship smartphone frequently transmits private user data to the tech giant before any app is installed.

  4. The team revealed that a massive data leak at MC2 Data, a background check firm, affects one-third of the US population.

  5. The Cybernews security research team discovered that 50 most popular Android apps require 11 dangerous permissions on average.

  6. They revealed that two online PDF makers leaked tens of thousands of user documents, including passports, driving licenses, certificates, and other personal information uploaded by users.

  7. An analysis by Cybernews research discovered over a million publicly exposed secrets from over 58 thousand websites’ exposed environment (.env) files.

  8. The team revealed that Australia’s football governing body, Football Australia, has leaked secret keys potentially opening access to 127 buckets of data, including ticket buyers’ personal data and players’ contracts and documents.

  9. The Cybernews research team, in collaboration with cybersecurity researcher Bob Dyachenko, discovered a massive data leak containing information from numerous past breaches, comprising 12 terabytes of data and spanning over 26 billion records.

  10. The team analyzed NASA’s website, and discovered an open redirect vulnerability plaguing NASA’s Astrobiology website.

  11. The team investigated 30,000 Android Apps, and discovered that over half of them are leaking secrets that could have huge repercussions for both app developers and their customers.

Aras Nazarovas