Home Threats Billions of users’ personal data vulnerable due to third-party code

Billions of users’ personal data vulnerable due to third-party code

Data leak

Several apps transmit unencrypted user data over insecure HTTP protocol risking user data exposure, pointed out a research by Kaspersky Lab while analyzing several popular dating apps. The research was presented in the segment titled “Leaking ads – is user data truly secure?” at the ongoing RSA Conference.

According to researchers, the reason for the vulnerability was due to applications using third-party ready-to-go advertising Software Development Kits (SDKs), popular among advertising networks. The researchers pointed out that several of these applications had a billion installations worldwide, “and a serious security flaw means private data can be intercepted, modified and used in further attacks, leaving many users defenseless.”

SDK often go unmonitored as authors focus more on the main elements of the application, relying heaving on the ready-to-go advertising tools. “For instance, advertising SDKs collect user data in order to show relevant ads, thus helping developers monetize their product. The kits send user data to the domains of popular advertising networks for more targeted ad displaying.”

Researchers while digging deeper found that most of the data were sent out unencrypted and over HTTP, making the data highly vulnerable while travelling through servers. Lack of encryption may mean that the data can be deciphered and intercepted by anyone. The research also suggested that these data can be modified and can be infused with malware endangering the user data.

“The scale of what we first thought was just specific cases of careless application design is overwhelming,” said Roman Unuchek, security researcher, Kaspersky Lab. “Millions of applications include third-party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices.”

Personal information, mostly in the form of the user’s name, age and gender, were the most found data. Several kits may also include user’s income, phone numbers and email addresses, the researchers warned. Device information, such as the manufacturer, model, screen resolution, system version and app name and device location, were other data that was transmitted unencrypted.

The researchers advised users to follow preventative measures like checking app permissions and using VPNs.