Researchers reported that mobile apps are transmitting unencrypted personal information of users through the use of available third party advertising software development kits (SDKs). Poring over several popular dating apps, some of these SDKs repeatedly use the insecure HTTP protocol in millions of apps, risking user data exposure due to billions of downloads worldwide.
According to the report delivered in the RSA Conference, as app developers concentrate on mobile applications’ creation and development, free third party advertising SDKs inserted into the apps save time and take care of revenue for these developers. Examining logs and network traffic in the Android Sandbox, the HTTP protocol left users’ data unencrypted as the information is sent to servers. And with any of the users using the dating apps via vulnerable routers and unprotected Wi-Fi, users’ personal information such as name, age, gender, income, phone numbers, email addresses, and device location are at risk for MITM (man-in-the-middle), ransomware, and malware infections, among others. Further, as these information can be intercepted and modified, they could be in danger of identity theft, finance losses, and blackmail, as well as other dangers from malicious individuals and organizations by browsing through information previously logged into other downloaded apps.
Trend Micro’s research analysts and engineers have been keeping an eye on mobile apps and their accompanying vulnerabilities since 2014. Trend Micro researcherscontinue to work with partners from Google to prevent malware from infecting unsuspecting users’ devices. Since SDKs allow even beginner programmers to profit because of their ease of use, and because Android’s open platform encourages budding and professional developers, malicious advertising agents and networks have continued to take advantage and capitalize on this through various means. These actors are expected to take advantage of the latest trends and social engineering techniques to remain unnoticed by users.
A number of Android apps have been found to have compromised user privacy and security, as well as vulnerabilities and infections in disguise. The research presentation noted that while 63 percent of Android developers have started using the more secure HTTPS encrypted protocol, almost 90 percent of the said apps still use HTTP in some systems. Developers are tasked to make the switch for users’ privacy.