Serious Privacy Leak Found in Radioddity GMRS App
A new investigation has uncovered a major privacy breach affecting users of popular GRMS and ham radio companion apps,especially those who use Radioddity and similar brands. If you use one of these radio apps on your iPhone or Android device, your personal information may have been exposed.
And this wasn’t a small glitch. The findings show unsecured, unencrypted transmission of passwords, email addresses, and even GPS location data,to servers located in China.
What Happened?
Using a controlled “man-in-the-middle” testing setup, I discovered that the walkie-talkie companion app was sending sensitive data through unencrypted HTTP connections (port 80). This means the information being transferred could easily be intercepted by anyone monitoring the network,and the app itself was openly broadcasting it.
Here’s what the inspection found leaking in plain text:
1. Your Email Address
When you register with the app, your email address is sent over the internet without any encryption.
2. Your Password , In Plain Text
Even worse, the app sends your actual password in the clear. Not hashed, not encrypted,just raw text anyone can capture.
This is one of the most serious mistakes an app can make.
3. Your Hashed Login Password
Even after registration, the hashed version of your password is sent. While a hash is normally safer, sending it insecurely can still allow attackers to crack it using brute-force tools.
4. Your GPS Location
The app regularly transmits your exact latitude and longitude, even when you’re not using features like “nearby users.” This means the app can be continuously reporting your physical location.
5. Other Users’ Personal Info
Shockingly, the app also leaks other people’s email addresses and usernames,simply by tapping on their profiles. Anyone monitoring the traffic can collect a list of users.
This goes far beyond poor security. It’s a complete disregard for user privacy.
How I Discovered It
I used a Linux firewall system configured as a man-in-the-middle device. By routing the phone’s Wi-Fi traffic through this system, he could inspect the raw data the app sent and received.
I also used a network-monitoring tool called Sniffhud to see where the connections were going. What showed up was concerning:
- Multiple connections to servers located in China
- Unsecured HTTP traffic
- Telemetry (like GPS data) being transmitted regularly
- User credentials sent without encryption
These findings were not theoretical,they appeared live on screen as the researcher registered a test account and interacted with the app.
Why This Is a Big Problem
For an app tied to personal radios,a hobby often associated with preparedness, safety, and emergency communication,leaking this level of personal data is extremely dangerous.
It exposes:
- Your email address
- Your password
- Your location
- Your identity on the app’s “social media” system
- Other users’ information
And all of it is going to foreign servers with no protection.
Even if some features legitimately need to contact a server (like “nearby user” maps), there is no reason passwords, GPS data, and other users’ info should be openly transmitted.
Do You Really Need an Account to Program a Radio?
One of the biggest frustrations raised in the investigation is the idea that you must create an online account just to configure your own radio.
There is no technical necessity for a radio-programming app to require:
- Email addresses
- Passwords
- Social-media-style accounts
- Location sharing
The researcher concludes the safest choice is simple:
If a radio app requires you to register an account just to configure your device, don’t use it.
What You Should Do Now
If you have installed a walkie-talkie or Baofeng companion app, you should assume your data may have been exposed.
Here are the immediate steps to take:
- Delete the app from your phone.
- Change the password you used for the app,especially if you reused it anywhere else.
- Review your email security, including recovery options and multi-factor authentication.
- Avoid using radio apps that demand registration for simple configuration tasks.
Final Thoughts
This incident highlights a growing issue: consumer-grade devices and apps,especially those from overseas manufacturers,are often built with little regard for security. And when these devices are tied to communication tools, the risks become even greater.
Transparency, encryption, and data protection should never be optional. Yet in this case, the app failed at the most basic level.
Your personal data, your password, and your physical location were essentially broadcast to the world.
Until radio manufacturers like Radioddity take security seriously, users will need to stay cautious, skeptical, and willing to walk away from any device or app that demands more information than it needs.
