[German]The telephone directory app Dali, very popular in Saudi Arabia and some Arab countries, is insecure and discloses the entire database of user data to third parties. Security researchers from VPN-Mentor pointed this out to me in an e-mail.
Dalil is the largest telephone directory in Saudi Arabia and is available as an app for smartphones. With more than 5 million downloads, Dalil is the 13th most popular communications app in Saudi Arabia (96% of users) and some Arab countries. The app works like a truecaller and helps users identify unknown numbers. Theoretically, this provides protection against cold calls and other unwanted contacts whose calls can then be rejected.
However, the practice tells a different story. Led by Noam R., a well-known white hat hacker and activist, VPNMentor’s research team discovered a major security breach in Dalil’s database. Through a vulnerability, the entire data set is openly accessible to more than 5 million users over the Internet.
Like all apps, Dalil requests permissions that users must agree to before they can download and use the program. Some permissions are expected, e.g. a Caller ID app must be able to read contacts. Other permissions seem more suspicious, such as reading and changing the phone’s stored files, redirecting calls and tracking the location.
As suspicious as some permissions may seem, they are not the main cause of Dalil’s security problems.
Dalil’s database is unprotected
The main problem: All user data collected by the app is stored in an unsecured and unmonitored MongoDB database. This database can be accessed without authentication and offers hackers password-free access to the data of millions of people. In addition to the application protocol, this database contains both personal data extracted from devices and personal data voluntarily transmitted by users. By default, the app collects the following user data:
- Mobile phone number and IP address (internal and external, if applicable)
- IMEI (the device-specific identification number)
- Device model, token, serial number and operating system
- Sim card and network operator information
- GPS and network location information
When users create their profiles, they are prompted to add additional information:
- Personal email account
- First name and surname
- Gender and occupation
These data are also currently stored in an unprotected database, so the VPNMentor team has found them. Details can be found in this article.