Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
User profile information leaked to (essentially) every other app on Android #9
The Tok app creates a directory on shared storage and adds subdirectories named after user profiles. That in itself tells every app with "storage" permission (which is practically every damned app on Android these days) that Tok is installed, and gives away all the user's profile names. It looks like it puts stuff like avatars (probably the user's picture!) in there too.
An app like this should never, ever, put anything outside of its own private storage without explicit, knowing direction from the user. Nor, for that matter, should it ask for storage permission at all until the user actually tells it to use shared storage for something specific. Android shared storage is a dumpster fire.