According to a researcher from security firm Predeo, some game applications in the Google Play published by SEGA leak users’ data to uncertified servers.
The Android apps are Sonic Dash, Sonic the Hedgehog™ Classic, and Sonic Dash 2: Sonic Boom, that have been totally downloaded millions of times.
The expert discovered that the apps are leaking users’ geolocation and device data to suspicious servers, thereby posing a privacy threat to mobile gamers, according to researchers.
“Pradeo’s Lab discovered that some game applications in the Google Play published by SEGA, the famous video games developer and publisher, access and leak users’ geolocation and device data. Hundreds of millions of users are concerned by these data privacy violations.” states the blog post published by Pradeo.
The Sonic apps send data to an average of 11 distant servers, three of which are not certified. Most of the servers obviously collect data for marketing purposes, but the expert observed that two of the three uncertified servers are linked to a potential unwanted library app dubbed Android/Inmobi.D,
Android.InMobi is classified as an advertisement library that is bundled with certain Android applications.
The expert discovered that the Sonic apps also leak mobile network information, including the service provider name, network type, and device information (i.e. manufacturer, commercial name, battery level, the maximum level of the battery, and operating system version number).
The researchers at Pradeo also conducted a vulnerability assessment for the three Sonic App and discovered an average of 15 OWASP (Open Web Application Security Project) flaws.
Experts discovered two critical flaws, X.509TrustManager and PotentiallyByPassSslConnection, that could be exploited by hackers to power man-in-the-middle attacks due to the lack of validation for SSL certificate errors.
“Unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.” reads the description for the X.509TRUSTMANAGER flaw, while the POTENTIALLY_BYPASS SSL_CONNECTION is described as:
“The implementation bypasses all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.”
I suggest you read the post to discover the remaining issues and the risks they posed to the users.
(Security Affairs – Sonic apps, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.