Popular messaging app JusTalk, which advertises itself as secure and encrypted, has reportedly suffered a security lapse, and that revealed it was neither secure nor encrypted after a huge online cache of users’ unencrypted private messages was found online.
According to TechCrunch, the messaging app is widely used across Asia and has a booming international audience with 20 million users globally.
Google Play lists JusTalk Kids, billed as its child-friendly and compatible version of its messaging app, as having more than 1 million Android downloads.
JusTalk claims both its apps are end-to-end encrypted — where only the people in the conversation can read its messages — and boasts on its website that “only you and the person you communicate with can see, read or listen to them: Even the JusTalk team won’t access your data!”
But a review of the huge cache of internal data proves those claims are not true.
The data includes millions of JusTalk user messages, along with the precise date and time they were sent and the phone numbers of both the sender and recipient.
It also contained records of calls that were placed using the app.
As per the report, security researcher Anurag Sen found the data this week and asked the website for help reporting it to the company.
Juphoon, the China-based cloud company behind the messaging app, said it spun out the service in 2016 and is now owned and operated by Ningbo Jus, a company that appears to share the same office as listed on Juphoon’s website.
But despite multiple efforts to reach JusTalk’s founder Leo Lv and other executives, the company gave no response, the report said.
Because each message recorded in the data contained every phone number in the same chat, it was possible to follow entire conversations, including children using the JusTalk Kids app to chat with their parents.
The internal data also included the granular locations of thousands of users collected from users’ phones, with large clusters of users in the US, UK, India, Saudi Arabia, Thailand and China.