Three Sonic the Hedgehog games for Android, downloaded over 100 million times, are at risk of leaking user geolocation and other personal device data to suspicious servers, putting users at risk of man-in-the-middle attacks and similar type vulnerabilities, according to security experts.
The games include Sonic the Hedgehog Classic, Sonic Dash 2: Sonic Boom and Sonic Dash, each distributed via the Google Play marketplace, according to researchers at Pradeo Security Systems that made the discovery last week.
On Thursday, researchers at the company reported that the each of the sonic apps, published by Japan-based Sega Games, leaked geolocation information including the mobile network information, service provider names, network types, OS version numbers and the device’s model and manufacturer.
According to Vivien Raoul, CTO and co-founder of Pradeo Security Systems, two of the leaky apps are tied to a third-party library used in development of the games by Sega. The library in question is “Android/Inmobi.D” and is available through many public code repositories. According to Raoul, the code is used for marketing purposes and creates a back-channel for advertisers to monitor ad campaigns, conduct crash reports and software analysis. Overall, each of the apps connect to approximately 11 servers to relay information, with three of the servers uncertified.
Raoul said insecure servers range from ones that do not use Hypertext Transfer Protocol Secure (HTTPS) to protect data in transit. In another instance, servers support HTTPS, but certificates are signed by an untrusted certificate authorities. Lastly, he said untrusted servers also included those blacklisted by security professionals for having close ties with malware distribution, phishing attacks or are controlled by malicious actors.
“It’s a ticking time bomb,” Raoul told Threatpost. He said unverified servers are fertile ground for attackers to collect the type of recognizance needed to both identify juicy targets and attack them with tailor-made exploits.
Sega America did not return multiple Threatpost requests for comment.
“The use of the Android/Inmobi.D library is not unique. There are thousands of Android applications using a variant of Android/Inmobi.D,” Raoul said.
Researchers said each of the Sega apps contained 15 Open Web Application Security Project (OWASP) flaws.
“Among the vulnerabilities detected in the analyzed Sega apps, we identified two critical ones that make them highly vulnerable to Man-In-The-Middle attacks (X.509TrustManager and PotentiallyByPassSslConnection). The other OWASP vulnerabilities detected can result in denial of service, sensitive data leakage and clearly show encryption weaknesses,” according to the report.
Raoul said Pradeo researchers worked with a third party to contact Sega directly regarding the vulnerabilities. It’s unclear what Sega’s response the research findings is.
“Our research goes beyond Sonic. We found many more popular apps on official stores that may contain (Android/Inmobi.D) code. These games underscore the need for developers to carefully review libraries used from public code repositories,” Raoul said.
He added that app developers should also carefully consider the types of data collected from users, given the risk that some of that data collected could accidentally be leaked.