Millions of Apps Leak Private User Data Via Leaky Ad SDKs

Mobile apps leak personal data via insecure ads that transmit ad-targeting data insecurely.

SAN FRANCISCO – Millions of apps leak personal identifiable information such as name, age, income and possibly even phone numbers and email addresses. At fault are app developers who do not protect ad-targeting data transmitted to third-party advertisers.

“The scale of what we first thought was just specific cases of careless application design is overwhelming,” said Roman Unuchek, security researcher, Kaspersky Lab, who introduced his research here at the RSA Conference on Tuesday. “Millions of applications include third party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices.”

Data sent unencrypted over HTTP can be collected by cybercriminals that share the same Wi-Fi network, or by an ISP or even by malware installed on a target’s home router, researchers said.

Not only can unprotected data be collected, but it can also be intercepted by a cybercriminal who can modify it to show malicious ads, enticing users to download a trojan application, which turn out to be malware, according to Unuchek.

Kaspersky said the origin of the problem can be traced back to the use of predefined and reused SDKs tied to popular advertising networks and used by app developers to save time. An analysis of these predefined SDKs by Kaspersky show many are flawed because they send unprotected user-profile data between the app and the advertisers’ servers. Compounding the problem, the SDK code has been used in millions of apps by developers.

“We searched for the two most popular HTTP requests – GET and POST. In GET requests user data is usually part of the URL parameters, while in POST requests user data is in the Content field of the request, not the URL. In our research, we looked for apps transmitting unencrypted user data using at least one of these requests, though many were exposing user data in both requests,” Unuchek wrote in a research report released Tuesday.

He said 4 million APKs examined exposed some data to the internet. “Some of them were doing it because their developers had made a mistake, but most of the popular apps were exposing user data because of third-party SDKs,” he said.

Researchers did not identify the advertisers or apps behind the SDKs, only stating several millions of apps using popular advertising networks’ SDKs are impacted.

In one example of data leakage, researchers intercepted an unencrypted JSON file being sent from an advertiser’s server. “In this JSON file we found lots of user data, including device information, date of birth, user name and GPS coordinates,” Unuchek wrote.

More alarming yet, researchers said some malicious app developers also transmit data insecurely. “In the case of malware it is even worse because it can steal more sensitive data like SMSs, call history, contacts, etc. Malicious apps not only steal user data but expose it to the internet making it available for others to exploit and sell,” Unuchek wrote.

He advises users to scrutinize app permissions when installing apps. The more permissions requested, the great potential of data sent insecurely to advertisers. He also recommends using VPN.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.