I turned on my old HTC espresso after a decade and I remembered that I loved this app.
It creates an unique profile image for contacts without a profile picture
So now when you open the contact list instead of having a list of capital letters in a circle you have a list of capital letters in a more colorful circle
Unfortunately it’s now outdated and discontinued, but it still works on Android 14.
Seems like some asshole took the source code and republished the app as is, without credit, in the Amazon app store to get some financial incentive (around 2014 blackberry paid devs to republish their apps and many assholes decided that it was a good idea to “steal” open source apps)
After this, dev took development private but then got tired of the update treadmill that Google forces on the play store, so the apps were automatically delisted.
Luckily, fdroid doesn’t have such artificial limitations on outdated apps that still work as intended.
I would be wary of running outdated apps like that even if their main functionality remains unchanged as they are almost certainly using some vulnerable outdated dependencies.
Even for a 100% offline app?
The chance of something like this being exploited is much lower than a zero day on the browser you’re using right now
Not to mention that you can install it and then immediately uninstall it after it generated the profile pics
It likely parses the profile pictures with some image parsing libraries, those have frequent security issues.
Apart that in this specific case it only touches empty contacts or overwrites existing, but who would have placed in your own contact list a specially crafted image with the exploit targeting this niche app that nobody uses?
I insist that something that’s not a web browser and it’s not connected to internet doesn’t need weekly/monthly updates. The program it’s done and it’s ok to stop development.
the exploit targeting this niche app that nobody uses?
Which likely uses one of the extremely common libraries for image parsing which are much more likely to be targeted. And profile pictures enter your contacts from all kinds of online sources.
btw you know what’s the beauty of open source? That you can take the source and update the vulnerable library to a nightly updated 2 hours ago, if it’s that important for you.
I guess you’re watching every month that all your apps are updated to the latest version. “OMG this app hasn’t been updated in the last 6 weeks, IMMEDIATE UNINSTALL!!!”
For me, the chance that one of my contact pics contain an exploit (i would mean that i manually did it, i don’t use online services) my is lower than getting hit by an asteroid, so i accept the risk.
Goodness, someone got out of bed on the wrong side this morning. I remember when this app came out! I’m pretty sure some of my contacts still have the pictures.
The app requests Network Permissions
Thanks for sharing this.