NEW DELHI, APR 18
Dating apps users, here’s a warning for you. While analyzing popular dating apps, researchers at security firm Kaspersky Lab have found that some apps transmit unencrypted user data over insecure HTTP protocol thus risking user data exposure. This is because some apps use third party, ready-to-go advertising Software Development Kits (SDKs), which are part of a number of the most popular advertising networks.
The apps involved include some with several billion installations worldwide, and a serious security flaw means private data can be intercepted, modified and used in further attacks, leaving many users defenseless.
An SDK is a set of development tools, often distributed free of charge, which allows software authors to focus on the main elements of the application, while entrusting other features to ready-to-go SDKs. Developers often use third party code to save time by reusing existing functionality to create part of the application. For instance, advertising SDKs collect user data in order to show relevant ads, thus helping developers monetize their product. The kits send user data to the domains of popular advertising networks for more targeted ad displaying.
However, deeper analysis of apps has shown that data is sent unencrypted, and over HTTP, which means it is unprotected when it travels to the servers. Due to the absence of encryption, data can be intercepted by anyone via unprotected Wi-Fi, Internet Service Providers or malware on a home router. In addition, the intercepted data can be modified, meaning the application will show malicious ads instead of legitimate ones. Users will then be enticed to download a promoted application, which will turn out to be malware, putting them at risk.
Researchers have examined logs and network traffic of apps in the internal Android Sandbox to uncover which apps transmit unencrypted user data to the networks over HTTP. They identified a number of major domains, most of them part of popular advertising networks. The number of apps using these SDKs go into several million, with most of them transmitting at least one of the following pieces of data in an unencrypted way:
Personal information, mostly in the form of the user’s name, age and gender. It may even include the user’s income. Their phone number and email address could leak too, as people share a lot of personal information in dating apps, according to a Kaspersky Lab findings. Other vulnerable information includes device information, such as the manufacturer, model, screen resolution, system version and app name; and device location. “The scale of what we first thought was just specific cases of careless application design is overwhelming,” said Roman Unuchek, security researcher, Kaspersky Lab. “Millions of applications include third party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices,” he added.
NEW DELHI, APR 18