User Location and Info publicly accessible by username in RealTime GPS Tracker App

Report ID



  • Vendor: Greenalp
  • Product: RealTime GPS Tracker (Package-Name: com.greenalp.RealtimeTracker)
  • Affected Version: android:versionName=“0.9.81″
  • Severity: High
  • Short summary: With a known username, an adversary can publicly access the location and other info about the user cellphone, if default settings are still set.


An adversary can visit

with a known username to view the location and other info like speed, direction, battery status of the user. The user is able to login on the website to prevent this behavior or restrict it to friends. But the default setting is that this info is publicly accessible.


The user can login on and set the permissions to friends or nobody.

Suggested Mitigation

Default setting should be that nobody is able to see location and info by default.


  • 2017-08-26: Vulnerability discovered
  • 2017-08-30: Advisory sent to developer
  • 2017-08-31: Developer replied with „won’t be fixed, behaviour is intended in that way“
  • 2018-08-11: Published