Millions of applications risk exposing personal data due to 3rd party code
While analyzing popular dating apps, Kaspersky Lab researchers have found that some transmit unencrypted user data over the insecure HTTP protocol, risking the exposure of user data. This is because some applications use third party ready-to-go advertising SDKs, which are part of some of the most popular advertising networks. The apps involved include some with several billion installations worldwide, and a serious security flaw means private data could be intercepted, modified, and used in further attacks, leaving many users defenseless.
An SDK is a set of development tools, often distributed free of charge, which allows software authors to focus on the main elements of an application, while entrusting other features to ready-to-go SDKs. Developers often use third party code to save time by reusing existing functionality to create part of the application. For instance, advertising SDKs collect user data in order to show relevant ads, thus helping developers to monetize their product. The kits send user data to the domains of popular advertising networks for more targeted ad displaying.
But deeper analysis of applications has shown that data is sent unencrypted, and over HTTP, which means it is unprotected when it travels to the servers. Due to the absence of encryption, data can be intercepted by anyone – via unprotected Wi-Fi, by the Internet Service Provider or through malware on a home router. Worse still, the intercepted data can also be modified, meaning the application will show malicious ads instead of legitimate ones. Users will then be enticed to download a promoted application, which will turn out to be malware and put them at risk.
Kaspersky Lab researchers have examined logs and network traffic of applications in the internal Android Sandbox to uncover which applications transmit unencrypted user data to networks over HTTP. They identified a number of major domains, most of them part of popular advertising networks. The number of applications using these SDKs totals several million, with most of them transmitting at least one of the following pieces of data in an unencrypted way:
• Personal information, mostly the user’s name, age and gender. It may even include the user’s income. Their phone number and email address could leak too (people share a lot of personal information in dating apps, according to another Kaspersky Lab study)
• Device information, such as the manufacturer, model, screen resolution, system version and app name
• Device location
“The scale of what we first thought was just some specific cases of careless application design is overwhelming. Millions of applications include third party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices,” said Roman Unuchek, security researcher at Kaspersky Lab.
Kaspersky Lab researchers advise users to follow these measures:
• Check your app permissions. Do not grant access to something if you don’t understand why. Most apps do not need access to your location, so don’t grant it
• Use a VPN. It will encrypt the network traffic between your device and the servers. However, it will remain unencrypted behind the VPN’s servers, but at least the risk of leakage is reduced during the process
To learn more about third party SDKs, read our blogpost on Securelist.com.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 20 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.