Compliance Impact

This vulnerability involves the storage of full-precision GPS coordinates in an unencrypted local database, even when users intended to share only generalized location information such as country or city. Such over-disclosure of precise location data can lead to privacy violations.

From a compliance perspective, this could conflict with regulations like GDPR and HIPAA, which require minimizing the collection and exposure of personal data and ensuring appropriate data protection measures. The excessive sharing and storage of precise location data without explicit user consent or adequate protection could be seen as non-compliant with these standards.

Although the app later encrypted the local database, the root cause—over-disclosure of exact coordinates by the server API—persisted, potentially exposing sensitive personal data and increasing the risk of regulatory non-compliance.

Useful 0 Not Useful 0

Executive Summary

CVE-2020-25900 is a privacy vulnerability in the HelloTalk Android app (versions up to 3.4.1) where the app stored users' full-precision GPS coordinates locally in an unencrypted SQLite database on the client device.

This happened even when users had set their profiles to share only broad location information like country or city. The app's API provided exact latitude and longitude data to all viewers regardless of privacy settings, causing over-disclosure of sensitive location data.

The precise GPS data was cached in the `htbackup/` directory and could be accessed without root access via Android Debug Bridge (ADB) backup on Android 8 devices. Although HelloTalk later encrypted the local backup files around August 2019, the fundamental issue of sharing excessive location data remained.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact users by exposing their exact GPS location data without their consent, even if they intended to share only general location information such as city or country.

An attacker or unauthorized party with access to the device or its backups could retrieve highly precise location data, potentially compromising user privacy and safety.

Since the data was stored unencrypted and accessible without root access on certain Android versions, it increased the risk of location tracking or profiling by malicious actors.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of unencrypted local SQLite database files containing full-precision GPS coordinates in the HelloTalk app's backup directory on Android devices.

Specifically, you can use Android Debug Bridge (ADB) commands to inspect the `htbackup/` directory for such data, as the data was accessible without root access via ADB backup on Android 8.

• Use the command `adb backup -noapk hellotalk` to create a backup of the HelloTalk app data.
• Extract the backup and search for SQLite database files in the `htbackup/` directory.
• Use SQLite tools (e.g., `sqlite3`) to open the database and check for stored GPS coordinates with full precision.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include uninstalling or updating the HelloTalk app to a version later than 3.4.1 where the local database is encrypted and the vulnerability is addressed.

Since the vulnerable versions are no longer supported and the exploit is no longer reproducible, avoiding use of outdated versions is critical.

Additionally, users should be cautious about sharing location data and review app permissions related to location access.

Useful 0 Not Useful 0