Android apps such as Sonic Dash, Sonic the Hedgehog™ Classic, and Sonic Dash 2: Sonic Boom, that have been totally downloaded millions of times are compromising user’s date.
These apps leak sensitive data to suspicious servers putting users at risk of man-in-the-middle attacks and similar type vulnerabilities, according to security experts.
Pradeo’s Lab discovered that some game applications in the Google Play published by SEGA, the famous video games developer and publisher, access and leak users’ geolocation and device data. Hundreds of millions of users are concerned by these data privacy violations.
The affected android apps are the following ones:
- Sonic Dash – 100 to 500 millions downloads
- Sonic the Hedgehog™ Classic – 10 to 50 millions downloads
- Sonic Dash 2: Sonic Boom – 10 to 50 millions downloads
By analyzing the aforementioned apps, we identified these common facts:
- The 3 Apps geolocate users and relay their position
- The 3 Apps leak device data
- Data are sent to an average of 11 distant servers including 3 uncertified ones
- The 3 Apps feature an average of 15 OWASP vulnerabilities
Researchers at the company reported that the each of the sonic apps, published by Japan-based Sega Games, leaked geolocation information including the mobile network information, service provider names, network types, OS version numbers and the device’s model and manufacturer. According to Vivien Raoul, CTO and co-founder of Pradeo Security Systems, two of the leaky apps are tied to a third-party library used in development of the games by Sega (Android/Inmobi.D).
Android.InMobi is classified as an advertisement library that is bundled with certain Android applications.
Overall, each of the apps connect to approximately 11 servers to relay information, with three of the servers uncertified.
The researchers at Pradeo also conducted a vulnerability assessment for the three Sonic App and discovered an average of 15 OWASP (Open Web Application Security Project) flaws. The servers support HTTPS, but certificates are signed by an untrusted certificate authorities.
“Among the vulnerabilities detected in the analyzed Sega apps, we identified two critical ones that make them highly vulnerable to Man-In-The-Middle attacks (X.509TrustManager and PotentiallyByPassSslConnection). The other OWASP vulnerabilities detected can result in denial of service, sensitive data leakage and clearly show encryption weaknesses,” according to the report.
Unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.” reads the description for the X.509TRUSTMANAGER flaw, while the POTENTIALLY_BYPASS SSL_CONNECTION is described as:
“The implementation bypasses all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.”
Read more here.
Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, hacking, cybersecurity, IoT and security in computer networks. He is also Freelance Writer.
Read more here.