Security researchers at Kaspersky Lab discovered that about 4 million popular mobile apps are unreliable because these use insecure Software Development Kits or SDKs, which leads to leaking of user data in unencrypted form.
The leaked data includes private information like name, gender, age, income, email address, device information, GPS data, call history, SMS and phone number.
SDKs are used solely for advertising purposes and in this case, the app developers are to be blamed because they have failed to protect ad-targeting data, which has to be transmitted to third party advertisers.
The research findings were publicly disclosed at the RSA conference. At the conference, Kaspersky Lab security researcher Roman Unuchek stated that the scale of “careless application design” is much broader than they initially expected and the consequences are alarming.
“Millions of applications include third-party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices.”
The fact cannot be ignored that advertising is vital for the survival of a majority of e-commerce websites and app-based services because in free versions of mobile apps, without advertising it would become difficult for developers to earn revenues to further improve and support it.
SDKs have proven to be an excellent tool for integrating ads into mobile apps; these developmental tools are usually offered by third-parties for free and can collect critical user information that helps in displaying targeted, relevant advertisements.
The problem is that if the SDKs aren’t properly secured, then the security of the mobile app that uses them to display ads would be compromised, and in turn, sensitive user data would be leaked.
According to researchers, they identified the issue while evaluating a number of dating apps some of which were transmitting unencrypted information over the HTTP protocol.
All due to non-secure SDKs because unprotected SDKs cannot keep the data secure and transmit it to their servers without encrypting them.
And how can we ignore the fact that these transmit data over HTTP protocol, which is not as secure and reliable as HTTPS.
The information transmitted through HTTP is neither secure nor encrypted.
Hence, the apps are easily leaking private and confidential user information and making mobile users vulnerable to all sorts of cybercrimes including spying, identity theft, and Man-in-the-Middle attacks, etc.
“We searched for the two most popular HTTP requests – GET and POST.
In GET requests user data is usually part of the URL parameters, while in GET requests user data is in the Content field of the request, not the URL.
In our research, we looked for apps transmitting unencrypted user data using at least one of these requests, though many were exposing user data in both requests,” noted Unuchek.
Another issue is that the intercepted data, claim researchers, can be modified so the application will start displaying malicious ads instead of authentic ones.
Since users will be compelled to download any of the promoted apps the chances are bright that they would be downloading malware.
It is also observed that the apps involved already feature millions of installations from across the globe. Most common web domains identified to be used by ad networks and were leaking data include rayjump.com, mopub.com, tappas.net, appsgeyser.com, and Nexage.com.
Kaspersky Lab researchers stated that over 63% of the mobile apps have shifted to HTTPS from HTTP by January 2018 but still, nearly 90% of these apps are using HTTP protocol in various processes. These are the apps that are leaking unencrypted data.
Developers need to completely switch to HTTPS and enable encryption for optimal security of user data and privacy. The apps or advertisers behind the SDKs haven’t been named by the research team at Kaspersky Lab.
Meanwhile, you need to carefully analyze the permissions requested by the apps and what these can access on your mobile. Also, do consider using a trustworthy VPN service like IPVanish to keep traffic traveling between the device and server encrypted.