The Go SMS Pro texting app has over 100 million installations from the Google Play Store, but popularity doesn’t matter: You need to stop using it and delete it from your phone now. Cybersecurity firm Trustwave recently discovered a major security loophole in the app that makes all photos, videos, and other media attachments you’ve sent through the app publicly accessible.
(That’s very bad.)
Here’s what’s happening: All media files that you send via Go SMS Pro are saved to a server and assigned a URL. Those URLs are not secured in the slightest, making them accessible to anyone else who knows the correct URL.
However, the files are also sequentially ordered, so you can access other media files that Go SMS Pro hosts by editing any regular hyperlink. Using this method, TechCrunch found sensitive financial information, home addresses, transaction receipts, and explicit photos that had been sent through the app. Also, these links aren’t restricted to Go SMS Pro users: anyone who knows the URL scheme of one link could easily extrapolate to find more.
That’s a huge privacy issue, but what’s most alarming is that Go SMS Pro’s developers don’t appear to be rushing to fix the problem. Trustwave immediately notified the developers of the issue in August 2020, but no one responded. The firm made four more unsuccessful attempts before disclosing the flaw publicly. TechCrunch and The Verge also sent emails to the developer, but the messages were either ignored or returned to sender due to “full inboxes.” The Verge also discovered the website listed on the app’s Play Store listing doesn’t load.
Should you trust Go SMS Pro’s developer? For these reasons, the app checks all of our do not recommend boxes. If you’re one of the many millions of people who have already installed it, stop using the app and delete it — and tell any contacts who use it to do the same. There’s nothing you can do about media files you’ve already sent using the app, unfortunately.
Here are a few quick alternatives for messaging apps you can try:
- The simplest option is to revert to the default messaging app on your phone, such as Google Messages or Samsung Messages.
- WhatsApp and Facebook Messenger are basically the same chat service at this point, and both can work as your default texting app, too. They can also connect to your Instagram DMs if you update your Instagram app, and you have the option to encrypt your conversations.
Then there are the apps that focus on privacy first, like Signal, Telegram, and Viber, which offer features like end-to-end encryption, including the best auto-deletion settings for texts and media attachments. These are much better choices when you need to text sensitive information or files; definitely avoid Go SMS Pro.