A Top Google Play App was found to be leaking sensitive data and to contain several OWASP flaws making the app vulnerable to data leakage, denial of service and data corruption.
Researchers at the security firm Pradeo found the Dune! app, a popular game which has been downloaded more than 5 million times in the last few weeks, is leaking sensitive data including a user’s server provider, country codes, telephone network type, device manufacturer, device commercial name, battery level, operating system, and device model number, according to a Dec. 14, 2017.
The popular app also geolocates its users despite the function not being required for the game execution and relays the users position. The app sends the data to at least 32 distant servers and features 11 OWASP vulnerabilities including several that give permission to other applications to bypass some security access and ultimately access sensitive data.
Other vulnerabilities included a Broadcast-Service and Broadcast-Receiver vulnerabilities which could each either leak data or result in denial of service, a url canonicalization flaw which could lead to a directory traversal vulnerability, and a X.509Trustmanager bug which could allow an attacker to read transmitted data or even change the data transmitted on the HTTPS connection.
Researchers noted the game has an abnormally high number of external libraries and said more than half of them only have the purpose of tracking users and get as much information as they can about them.
“Very often, these libraries silently perform unnecessary actions (such as connections to unknown servers) and leak data,” researchers said in the post. “The Dune! app embeds 20 libraries, which is a lot more than the average.”
Researchers warn the app could be particularly risky for governmental employees as an attacker could leverage the app’s data leaks to know at any time the exact location and to know sensitive data that could be leverage in other attacks.