Sequels seldom live up to the hype. But the newly launched Bolo Messenger App has managed to garner the same level of buzz as the Kimbho App – its earlier version. And again, for all the wrong reasons.
The launch of the Bolo app on Friday, 13 July, spurred a cheeky Twitter battle between two adversaries. An anonymous French security researcher, who goes by the moniker Elliot Alderson, had punctured holes in Kimbho’s security design and has now flagged major flaws in the Bolo Messenger app. This happened after Aditi Kamal, the developer of Kimbho and now Bolo, challenged him to find weaknesses in the new app on Twitter.
Kamal, speaking to The Quint, denied the validity of the flaws. “Security is our No.1 priority and we aim to excel in this area,” she said, adding that “there have been numerous attacks on our systems from all over the world – the Netherlands, England, France, China, America – and they all failed.”
We bring you a blow-by-blow account of the Twitter duel and an analysis of the security flaws flagged by Alderson.
Elliot Alderson vs Aditi Kamal
This is what Aditi Kamal tweeted: “Hi @fs0c131 (Alderson’s twitter handle) Try your hacking skills on this swadesi version. #swadesiaditi #challenge #nojoke”
What followed was not flattering for Bolo. It was revealed that Bolo’s security features were allegedly as poor as Kimbho’s. The exchange between Kamal and Alderson was replete with dollops of security pow-wow and a dash of sass, with an eager audience chipping in with their supply of sarcasm.
Alderson, who adopted his moniker from the vigilante hacker protagonist of the popular series ‘Mr Robot’, said “Challenge Accepted!” in response to Kamal’s tweet and then proceeded to detail in a tweet thread the first major flaw he discovered.
Flaw 1
One can see the online status and the last active time of a Bolo user outside of one’s contact list.
Alderson, in a thread of ten tweets explained with screenshots of the API how when one sends a text, the app checks whether the recipient is online and when she was last active on the app. The access to this metadata counts as an invasion of user privacy because people outside of your contact list can potentially monitor your movements on the app.
Kamal, though, didn’t seem impressed with the comeback and offered her own counter-punch. “I don’t need to be a PROGRAMMER to see WhatsApp status. Why would I write a hacking script for something I can do in simple two steps? Looking for something interesting,” she tweeted back.
Alderson, in his characteristic style, responded to Kamal’s counter by claiming that she had no idea about security, particularly in reference to her usage of the term, “hacking script”.
Alderson, in signing off from the bout with a mic-drop GIF, had a few words of advice.
The audience in the digital colosseum of Twitter who were witnessing the blows live had a few inputs of their own as well.
Security researchers The Quint got in touch with backed the validity of the claims made by Alderson. “What he is pointing to checks out. Moreover, the back end seems to be running a Jetty server without a load balancer or any front-end security capable of detecting intrusions or load limiting,” said V Anand, a security researcher and programmer based in Bengaluru.
Aditi Kamal’s response to The Quint: This was a privacy concern raised by him. However, like all other apps we have a setting to disable showing online status. This is similar to how WhatsApp and Gmail show the photo avatar and online status of unknown users with the provision of opt-out. However, to add extra layer of privacy, we have disabled people from viewing your status if not a friend, along with complete opt-out provision.
Flaw 2
The app stores critical information like telephone number and user ID in plain text in a shared-preference file. Most importantly, the file also contains the plain-text token that is used to make requests to the app’s server. Through a minor manoeuvring of the API, a hacker can obtain the token of any user and impersonate her to make requests to the server.
In round two, Alderson added a face-palm emoji to make the blow more powerful.
Kamal, once again, stuck to her guns and provided a counter to Alderson’s expose. Before the bell went off at the end of the bout, Alderson had a few more parting words of advice.
Aditi Kamal to The Quint: Another concern raised was the ability to read his own notification token. However, this token is unique per user and is used to send notifications by our system to unique user (in this case, him). This is not a security threat at all and is confined to a unique user (which is him). Also, these tokens expire and are invalidated after some time. Still, since it was raised by a pro like him we addressed it and it is no longer accessible to anyone. She added that her security team is continuously reporting these attacks to the concerned authorities.
The website describes Bolo as “Bharat’s first swadesi messaging app” whose mission is to promote swadesi tech revolution and support the Make in India movement”. It is available on both Google Play and Apple App stores.
Expert Speak
Security experts, however, point to the fact that the Android API that apps like Bolo are built on has historically been found to contain bugs that allow hackers to spoof an app or extract data off them. “The important question here is that a responsible app would be aware of this aspect of Android and build an app that secures it against such threats. There is a possibility of clone Bolo apps that could surface and hackers could use the attack vectors flagged by Alderson but in different ways,” said Srinivas Kodali, a security engineer and internet researcher.
Experts are of the opinion that building a messaging app is not a big deal. It is building an app that addresses all the security concerns that is difficult. It is very easy to write a ‘normal’ text messenger, one that moves messages between two mobile phones. It is the end-to-end encryption that WhatsApp and Signal offer that is most complex to implement.
“Apps like Bolo may get away since most users are not aware of the underlying technology and could fall for it,” said a researcher who did not wish to be named.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)