You may or may not have heard of Cerberus, an anti-theft application for Android devices. Cerberus allows you to remotely control your device if it has been lost or stolen. Features include: locate and track your device, start alarms, get a list of recent calls, download SMS messages, take pictures, record video, record audio and much more – all of which is done discreetly without the “thief” knowing so you can track your phone down and attempt to recover it. Pretty cool, right? Now imagine if anyone could access your device and listen to your conversations. A security hole in Cerberus allows just that.You may think Cerberus is pretty secure. You have a username and password, which only you know, similar to Facebook and practically every other website out there with a login system. 99% of the time this is fine and accepted standard for authenticating yourself. The problem here lies with what’s going on behind the scenes. When you login with your username and password the Cerberus API replies back with a “device ID” which is a seemingly 15 digit randomly generated number, this id is then used in subsequent requests and used to “authenticate” you – that’s right, your username/password aren’t used past the initial stage. Upon further investigation it turns out that this number is your devices IMEI number.