Sonic the Hedgehog accused of leaking Android users' data  - sonic dash android - Sonic the Hedgehog accused of leaking Android users’ data

At the end of last week, mobile security researchers at Pradeo claimed that some of Sega’s official the games in the Play store were leaking information – including players’ location and device .

The apps in question are:

  • “Sonic Dash” (which according to Google Play has been downloaded between 100-500 million times)
  • “Sonic Dash 2: Sonic Boom” (10-50 million downloads)
  • “Sonic the Hedgehog Classic” (10-50 million downloads)

The sensitive information collected by the apps was said to have been sent to “suspicious” servers, associated with a variant of a Inmobi.D – a potentially unwanted ad library embedded within thousands of Android apps.

An obvious concern is what is what is happening to the sensitive data from a player’s Android device after it is transmitted to a third-party server. Are the servers themselves vulnerable to access by unauthorised parties.

Aside from concerns that the Sega games were collecting a disturbing amount of information, Pradeo also claimed that on average each app contained 15 vulnerabilities, some of which it described as critical:

“Among the vulnerabilities detected in the analyzed SEGA apps, we identified two critical ones that make them highly vulnerable to Man-In-The-Middle attacks (X.509TrustManager and PotentiallyByPassSslConnection). The other OWASP vulnerabilities detected can result in denial of service, sensitive data leakage and clearly show encryption weaknesses.”

For its part, Sega has told ZDNet that it is investigating the claims:

“Sega works diligently to address any technical issues that could compromise customer data.”

“If any third-party partners are collecting, transmitting, or using data in a manner that is not permitted by our agreement with the third party or Sega’s mobile privacy policy, prompt corrective action will be taken.”

It’s very easy to fall into an “Android vs iOS: Which is better for security?” argument, but such debates ignore the truth that the big security issue on smartphones is not the operating system, but rather the apps.

A smartphone app can be poorly coded and might store information insecurely, may exhibit weaknesses in its encryption algorithms, send your username and password insecurely in plaintext to a remote server, or could be designed to scoop up your personal information in order to make it easier for third-party companies to target you with advertising.

Even if an app is coded competently, that’s no guarantee that any data it shares with its developer is handled competently or isn’t shared with third parties who don’t treat security as a priority.

- aa9ea0686c5d1aa9086d4b12c3aa05f2 s 80 d mm r g - Sonic the Hedgehog accused of leaking Android users’ data

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and gives presentations on the topic of computer security and online privacy.

Follow him on Twitter at @gcluley, Google Plus, Facebook, or drop him an email.

Follow @gcluley





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here