Mobile Apps Expose Billions of Unencrypted User Info Through Insecure SDKs
Researchers reported that mobile apps are transmitting unencrypted personal information of users through the use of available third party advertising software development kits (SDKs). Poring over several popular dating apps, some of these SDKs repeatedly use the insecure HTTP protocol in millions of apps, risking user data exposure due to billions of downloads worldwide.
[Roundup: The 2017 Mobile Threat Landscape]
According to the report delivered in the RSA Conference, as app developers concentrate on mobile applications’ creation and development, free third party advertising SDKs inserted into the apps save time and take care of revenue for these developers. Examining logs and network traffic in the Android Sandbox, the HTTP protocol left users’ data unencrypted as the information is sent to servers. And with any of the users using the dating apps via vulnerable routers and unprotected Wi-Fi, users’ personal information such as name, age, gender, income, phone numbers, email addresses, and device location are at risk for MITM (man-in-the-middle), ransomware, and malware infections, among others. Further, as these information can be intercepted and modified, they could be in danger of identity theft, finance losses, and blackmail, as well as other dangers from malicious individuals and organizations by browsing through information previously logged into other downloaded apps.
Trend Micro’s research analysts and engineers have been keeping an eye on mobile apps and their accompanying vulnerabilities since 2014. Trend Micro researcherscontinue to work with partners from Google to prevent malware from infecting unsuspecting users’ devices. Since SDKs allow even beginner programmers to profit because of their ease of use, and because Android’s open platform encourages budding and professional developers, malicious advertising agents and networks have continued to take advantage and capitalize on this through various means. These actors are expected to take advantage of the latest trends and social engineering techniques to remain unnoticed by users.
A number of Android apps have been found to have compromised user privacy and security, as well as vulnerabilities and infections in disguise. The research presentation noted that while 63 percent of Android developers have started using the more secure HTTPS encrypted protocol, almost 90 percent of the said apps still use HTTP in some systems. Developers are tasked to make the switch for users’ privacy.
Additionally, users can secure their devices by following these best practices:
- Download only from trusted and verified vendors and app stores, and check permissions that apps request
- Use a virtual private network (VPN) to encrypt traffic between devices and servers
- Regularly update your OS and apps to remove potential vulnerabilities
- Regularly back up important files, media, and data from threats by synching with paired PCs, cloud services, or other apps.
Trend Micro Solutions
End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ (available on Google Play), and Trend Micro™ Mobile Security for Apple devices (available on the App Store). Trend Micro™ Mobile Security for Enterprise provide device, compliance and application management, data protection, and configuration provisioning, as well as protect devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerabilities.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report