Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Popular Android Apps Leak User Data via Third-Party SDKs

Popular mobile applications that use third-party, ready-to-go advertising Software Development Kits (SDKs) expose user data by transmitting it over the insecure HTTP protocol, Kaspersky Lab warns.

Popular mobile applications that use third-party, ready-to-go advertising Software Development Kits (SDKs) expose user data by transmitting it over the insecure HTTP protocol, Kaspersky Lab warns.

While analyzing popular dating apps, the security firm discovered that user data is often transmitted unencrypted when SDKs from popular advertising networks are used. With some of the apps having several billion installations worldwide, security flaws put a gigantic amount of private data at risk.

Consisting of development tools and often provided free of charge, SDKs allow app developers to immediately include some capabilities into their apps and save time while focusing on other, more important elements. However, it also means that developers don’t know that the used code may contain security issues.

The advertising SDKs were designed to collect user data to show relevant ads and help developers monetize their product.

These kits would send the collected data to the domains of popular advertising networks to ensure more targeted ad displaying, but the data is sent unencrypted over HTTP, meaning it remains unprotected from a variety of attacks while in transit. The data is exposed via unprotected Wi-Fi, Internet Service Providers, or malware on a home router, Kaspersky says.

Not only can the data be intercepted, but it can also be modified, which could result in users being exposed to malicious ads instead of legitimate ones. This could result in users being tricked into downloading promoted applications that could turn out to be malware.

Analysis of a file one of the applications was sending to an analytics company revealed the type of data being transmitted unencrypted: device information, date of birth, user name, and GPS coordinates, along with information on app usage (such as profiles liked by the user).

Advertisement. Scroll to continue reading.

Other analyzed dating apps were showing similar behavior, using HTTPS to communicate with their servers, but making HTTP requests to a third-party server. This server was belonging to an advertising network used by both dating apps and the user data was sent as parameters in a URL.

What Kaspersky discovered was that the leaky applications were using large amounts of third-party code, with every app containing at least 40 different modules.

“They make up a huge part of these apps – at least 75% of the Dalvik bytecode was in third-party modules; in one app the proportion of third-party code was as high as 90%,” Kaspersky’s Roman Unuchek notes in a blog post.

After diving into the GET and POST requests through which popular applications with third-party SDKs were sending unencrypted data, the security firm was able to identify the most popular SDKs leaking user data, as well as the domains the data was being sent to.

The four m
ost popular domains the apps were exposing data to via GET requests include (used in apps with hundreds of millions of installs), (nine of the apps had a total of 2 billion installs), (tens of millions of installations), and (supposedly used in 6 million apps with almost 2 billion installations between them).

The four most popular domains the apps were exposing data to via POST requests include (one of the apps had more than 500 million installs), Lenovo (which was leaking user data because of a mistake by developers), (nearly 1.5 billion installs in 8 apps alone), and (with tens of millions of installs).

In most cases, the SDKs were leaking data such as device information (screen resolution, storage size, volume, battery level, OS version, IMEI, IMSI, language), network information (operator name, IP address, connection type, signal strength, MAC), device coordinates, Android ID, app usage, and personal information such as user name, age and gender. Phone number and email address can also be leaked.

The main issue with these apps is that they send the data unencrypted, meaning that it can be intercepted. This means that anyone able to intercept the data can learn a lot about the user, and, depending on the transmitted data, can even use it to do harm. Additionally, the data can be modified, leading to other malicious attacks.

“Starting from the second half of 2016, more and more apps have been switching from HTTP to HTTPS. So, we are moving in the right direction, but too slowly. As of January 2018, 63% of apps are using HTTPS but most of them are still also using HTTP. Almost 90% of apps are using HTTP. And many of them are transmitting unencrypted sensitive data,” Unuchek points out.

The security researcher urges developers to stop using HTTP and to turn on 301 redirection to HTTPS for the frontends. They should also encrypt data, always use the latest version of an SDK, and should check the app’s network communications before publishing.

Users are advised to check the permissions requested by each application and only grant those permissions that are required for the application’s functionality. They should also use a VPN, which would encrypt the traffic to external servers.

“The scale of what we first thought was just specific cases of careless application design is overwhelming. Millions of applications include third party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices,” Unuchek said.

Related: Mobile Ad SDK Exposes iOS Users to Remote Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.