Popular mobile applications that use third-party, ready-to-go advertising Software Development Kits (SDKs) expose user data by transmitting it over the insecure HTTP protocol, Kaspersky Lab warns.
While analyzing popular dating apps, the security firm discovered that user data is often transmitted unencrypted when SDKs from popular advertising networks are used. With some of the apps having several billion installations worldwide, security flaws put a gigantic amount of private data at risk.
Consisting of development tools and often provided free of charge, SDKs allow app developers to immediately include some capabilities into their apps and save time while focusing on other, more important elements. However, it also means that developers don’t know that the used code may contain security issues.
The advertising SDKs were designed to collect user data to show relevant ads and help developers monetize their product.
These kits would send the collected data to the domains of popular advertising networks to ensure more targeted ad displaying, but the data is sent unencrypted over HTTP, meaning it remains unprotected from a variety of attacks while in transit. The data is exposed via unprotected Wi-Fi, Internet Service Providers, or malware on a home router, Kaspersky says.
Not only can the data be intercepted, but it can also be modified, which could result in users being exposed to malicious ads instead of legitimate ones. This could result in users being tricked into downloading promoted applications that could turn out to be malware.
Analysis of a file one of the applications was sending to an analytics company revealed the type of data being transmitted unencrypted: device information, date of birth, user name, and GPS coordinates, along with information on app usage (such as profiles liked by the user).
Other analyzed dating apps were showing similar behavior, using HTTPS to communicate with their servers, but making HTTP requests to a third-party server. This server was belonging to an advertising network used by both dating apps and the user data was sent as parameters in a URL.
What Kaspersky discovered was that the leaky applications were using large amounts of third-party code, with every app containing at least 40 different modules.
“They make up a huge part of these apps – at least 75% of the Dalvik bytecode was in third-party modules; in one app the proportion of third-party code was as high as 90%,” Kaspersky’s Roman Unuchek notes in a blog post.
After diving into the GET and POST requests through which popular applications with third-party SDKs were sending unencrypted data, the security firm was able to identify the most popular SDKs leaking user data, as well as the domains the data was being sent to.
The four m
ost popular domains the apps were exposing data to via GET requests include mopub.com (used in apps with hundreds of millions of installs), rayjump.com (nine of the apps had a total of 2 billion installs), tappas.net (tens of millions of installations), and appsgeyser.com (supposedly used in 6 million apps with almost 2 billion installations between them).
The four most popular domains the apps were exposing data to via POST requests include ushareit.com (one of the apps had more than 500 million installs), Lenovo (which was leaking user data because of a mistake by developers), Nexage.com (nearly 1.5 billion installs in 8 apps alone), and Quantumgraph.com (with tens of millions of installs).
In most cases, the SDKs were leaking data such as device information (screen resolution, storage size, volume, battery level, OS version, IMEI, IMSI, language), network information (operator name, IP address, connection type, signal strength, MAC), device coordinates, Android ID, app usage, and personal information such as user name, age and gender. Phone number and email address can also be leaked.
The main issue with these apps is that they send the data unencrypted, meaning that it can be intercepted. This means that anyone able to intercept the data can learn a lot about the user, and, depending on the transmitted data, can even use it to do harm. Additionally, the data can be modified, leading to other malicious attacks.
“Starting from the second half of 2016, more and more apps have been switching from HTTP to HTTPS. So, we are moving in the right direction, but too slowly. As of January 2018, 63% of apps are using HTTPS but most of them are still also using HTTP. Almost 90% of apps are using HTTP. And many of them are transmitting unencrypted sensitive data,” Unuchek points out.
The security researcher urges developers to stop using HTTP and to turn on 301 redirection to HTTPS for the frontends. They should also encrypt data, always use the latest version of an SDK, and should check the app’s network communications before publishing.
Users are advised to check the permissions requested by each application and only grant those permissions that are required for the application’s functionality. They should also use a VPN, which would encrypt the traffic to external servers.
“The scale of what we first thought was just specific cases of careless application design is overwhelming. Millions of applications include third party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices,” Unuchek said.
