Several mobile software developer kits (SDKs) can capture sensitive user data when a mobile app crashes, exposing private data to an outside third party.
Researchers at Appthority singled out SDKs offered by AppSee and TestFairy in a report published Monday. They warned that mobile users whose apps depend on the developers’ SDK tools need to be aware that snippets of their private data could be shared outside of a corporate environment.
The AppSee and TestFairy SDKs are developer tools designed to give app-makers insights into the exact state of a phone before an app crashed. When an app does crash, both tools take screenshots of the mobile device and send them to the app developer for analysis. In some circumstances, they also collect end-user behavioral data such as user gestures and heat maps, tied to a specific app that uses the SDK.
“This opens up doors for new exploits in enterprise mobile environments, as third-parties are increasingly recording mobile screens for debugging purpose and sending them back to external servers,” wrote Su Mon Kywe, a research scientist at Appthority, in a blog post warning of the potential leak of mobile data.
She warned sensitive information such as credit-card data and passwords can be captured. She also noted that AppSee and TestFairy work with app developers that allow users to view Microsoft Word, Excel, PowerPoint files and Adobe PDFs. In those cases, the odds are greater a crashed app could expose private corporate data.
“Appthority found that several apps with this screen capturing ability can also open corporate documents… This increases the risk of corporate documents being leaked to third-parties, where enterprises can’t exercise control,” she wrote.
TestFairy’s CEO Yair Baron told Threatpost his firm provides mobile app development teams crash-related videos and screenshots of just the apps that use its SDK. “Just to be clear, we do not capture any information about any other apps,” he said. “We simply help developers understand what happened before a crash so they can fix bugs faster.”
Baron said the TestFairy SDK does not have the technical capability to open any documents. AppSee, on the other hand, can open certain documents.
“AppSee is a library present inside an app, and apps, such as AutoCAD, are designed to be able to open Word, Excel, PowerPoint and PDFs, when users download or access those files on their mobile devices,” wrote AppSee in an email response to Threatpost questions. “As such, when an app, such as AutoCAD, includes AppSee SDK for debugging or analytics purpose, AppSee has the privilege of accessing these documents or at least taking screenshots when these documents are open by users.”
Third-Party Data Sharing
Appthority’s Kywe noted several incidents where mobile data has inadvertently been shared with a third party without a user’s consent. In July, researchers at Northeastern University and the University of California, Santa Barbara highlighted a fast food company’s app GoPuff, which captured screenshots of interactions that included zip code information.
Responding to an inquiry by Gizmodo regarding the GoPuff app, Google said in July it was working closely with AppSee to make sure their app customers clearly communicated the SDK’s functionality to end-users. “After reviewing the researchers’ findings, we determined that a part of AppSee’s services may put some developers at risk of violating Play policy,” Google told Gizmodo.
AppSee told Threatpost that GoPuff violated the company’s terms of service and declined to comment further.
Last year the health provider MDLive faced a class-action lawsuit filed by a woman who alleged the MDLive mobile app shared sensitive health information of end-users via the TestFairy SDK. Information was collected by screenshots, according to the lawsuit, and included health information, such as health conditions, allergies, behavioral health history, recent medical procedures and family medical history.
The complaint states: “Patients provide their medical information to MDLive in order to obtain healthcare services and reasonably expect that MDLive will use adequate security measures, including encryption and restricted permissions, to transmit patients’ medical information to treating physicians. Contrary to those expectations, MDLive fails to adequately restrict access to patients’ medical information and instead grants unnecessary and broad permissions to its employees, agents, and third parties.”
Baron said data collected by TestFairy is never sent to an “unknown third party.” Rather, data is sent to a private cloud that only the app developer has access to: “It’s important to note, the customer is not sending the data to an unknown third-party. Data is sent to the developer’s secure private cloud.”
Baron also said TestFairy also goes a step further and allows developers to block out sensitive data such as names, user names, credit card data, location information and passwords when the screen shots are taken.
“The best way to keep information safe, is not to have it in the first place,” Baron said.
Appthority recommends non-compliant apps should be removed from the enterprise mobile environment.
“In addition… enterprise security teams should pay extra attention to these types of apps with access to other corporate data, such as address books and calendar information,’ Kywe said.
Appthority said there are about 1,350 Android and about 4,000 iOS apps that use the screen-recording capabilities on enterprise devices; about 200 Android and 180 iOS-based apps utilize screen-capturing functions offered by TestFairy.