Popular video calling and messaging app JusTalk has always advertised itself to be both secure and encrypted. But has recently suffered a security lapse that led to the release of the cache of users’ unencrypted messages. The messaging app is widely used across Asia and has a thriving international audience with 20 million users worldwide. Google Play lists JusTalk Kids, billed as its child-friendly and compatible version of its messaging app, as having more than 1 million Android downloads.
The Unencrypted Messages Were Discovered by Security Researcher
JusTalk states both its apps are end-to-end encrypted — where only the people in the conversation can read its messages — and boasts on its website that “only you and the person you communicate with can see, read or listen to them: Even the JusTalk team won’t access your data!” Security researcher Anurag Sen discovered the leaked data of unencrypted messages this week. Juphoon, the China-based cloud company behind the messaging app said it spun out the service in 2016 and is now owned and operated by Ningbo Jus, a company that appears to share the same office as listed on Juphoon’s website.
The Leaked Data Also Included Personal Information of the Users
Furthermore, the internal data along with unencrypted messages also included the granular locations of thousands of users collected from users’ phones, with large clusters of users in the United States, United Kingdom, India, Saudi Arabia, Thailand, and mainland China.
According to Sen, the data also contained records from a third app, JusTalk 2nd Phone Number, which allows users to generate virtual, ephemeral phone numbers to use instead of giving out their private cell phone numbers. A review of some of these records reveals both the user’s cell phone number as well as every ephemeral phone number they generated.