Send Message to User with username without authentication in RealTime GPS Tracker App

Report ID



  • Vendor: Greenalp
  • Product: RealTime GPS Tracker (Package-Name: com.greenalp.RealtimeTracker)
  • Affected Version: android:versionName=“0.9.81″
  • Severity: High
  • Short summary: With a known username, an adversary can publicly access the location and other info about the user cellphone, if default settings are still set.


An adversary can visit

with a known username to send messages to the phone on which the app is running. This can be prevented by the user, by logging in on and then setting the view location permission to „nobody but me“.


The user can login on and set the permissions to friends or nobody.

Suggested Mitigation

Default setting should be that nobody is send messages to the user.


  • 2017-08-26: Vulnerability discovered
  • 2017-08-29: First email sent to support
  • 2017-08-30: Advisory sent to developer
  • 2017-08-31: Developer replied with „won’t be fixed, behaviour is intended in that way“
  • 2018-08-11: Published