For this guest feature, Aras Nazarovas, a security researcher at Cybernews, highlights how some meditation and wellness apps and spam text and call blocking apps, which are meant to protect users, are instead leaking sensitive data, putting user privacy and safety at risk.
Apps designed to protect our peace of mind are increasingly becoming sources of anxiety. Take 7 Minute Chi – Meditate & Move, a meditation app marketed to reduce stress, and Robo Spam Text & Call Blocker, an iOS tool meant to shield users from robocalls and phishing. Both promised safety – one for mental well-being, the other for digital security.
Instead, they exposed sensitive user data through security failures, revealing a worrying truth: the apps we trust to guard our privacy are often the weakest links in our digital lives.
The Irony of Leaky Safe Spaces
The 7 Minute Chi breach laid bare the personal details of over 100,000 users’ names, emails, and app secrets like API keys and Facebook credentials – due to a misconfigured Firebase database. This is a betrayal. Users sought calm and focus, only to have their data potentially weaponised for phishing or identity theft.
Also, Robo Spam Text & Call Blocker, downloaded 93,000 times, leaked 339,000 reported spam numbers, customer support tickets with real names and emails, and critical app secrets. Criminals now know which numbers users block and which keywords to avoid, and this enables them to craft scams that slip past filters.
These leaks aren’t accidents but symptoms of systemic negligence. Firebase misconfigurations, which leave databases publicly accessible and hardcoded secrets embedded in app code, are shockingly common. Our research shows that 71% of 156,080 sampled iOS apps leak at least one secret, with an average of 5.2 per app. When developers cut corners, apps designed to protect become tools for exploitation.
The Human Cost of Broken Promises
For users, the fallout is deeply personal. Just imagine receiving a phishing email that references your meditation habits, perhaps even mentioning the specific app you use or the routines you follow – details you thought were private.
Or picture answering a spam call that not only gets past your trusted blocker but uses language and tactics tailored to your reported preferences and blocked keywords, making the scam far more convincing.
In both cases, the sense of violation is profound: information you shared in the pursuit of calm or safety is now being used to target and manipulate you, turning trusted digital spaces into sources of new anxiety.
A Failure of Accountability
Neither Apple’s App Store reviews nor developer due diligence prevented these breaches. 7 Minute Chi’s Firebase instance sat exposed for weeks, while Robo Spam Text & Call Blocker’s parent company, Brantley Media Group, has a history of leaks, including an AI app that exposed users’ intimate stories.
Yet, Apple’s ecosystem, often perceived as a “walled garden,” lacks mechanisms to scan for hardcoded secrets or enforce secure cloud configurations.
What’s Next?
To restore trust, the industry must prioritise:
- Expanding app store reviews to include backend security checks: Apple and other platform owners should incorporate automated scans for misconfigured databases, hardcoded credentials, and other backend vulnerabilities before approving apps.
- Developers must follow secure coding standards, conduct regular code reviews, and leverage automated security testing tools to catch vulnerabilities early.
- Provide real-time privacy visualisations and alerts: empower users with dashboards or notifications that reveal how their data is used and immediately alert them to potential leaks or suspicious activity.
- Offer post-breach support and transparency, and quickly notify users in the event of a breach, provide guidance on protective actions, as well as offer services such as personal data scans to help users recover.
- Regularly update and patch apps
As the lead researcher on these investigations, I urge users to demand better. Change passwords exposed in breaches, limit data shared with apps, vet apps before installing them as much as you can, and pressure platforms to enforce stricter standards. Until then, the very tools marketed to protect us will continue to leave us exposed.
The author of this guest editorial is Aras Nazarovas, an Information Security Researcher at Cybernews, a research-driven online publication.
You must be logged in to post a comment.