Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Threat Management, Malware, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Not-so-super Sonic? Sega apps leak data to suspicious servers, says research lab

Three Sonic the Hedgehog games for Android devices that collectively have been downloaded well over a hundred million times are leaking users' geolocation and device data to uncertified servers, thereby posing a privacy threat to mobile gamers, according to researchers.

A Jan. 18 blog post from the research lab of mobile security company Pradeo states that the apps "geolocate users and relay their position," "leak device data," and "send data to an average of 11 distant servers, including three uncertified ones." While most of the distant servers are used for legit tracking and marketing purposes, two of the three uncertified servers are linked to a variant of Android/Inmobi.D, which Symantec Corporation recognizes as a potential unwanted library app that is found bundled with certain Android applications.

In addition to geolocation data, the apps reportedly also can leak mobile network information such as service provider name and network type, and device information including manufacturer, commercial name, battery level, maximum level of battery, and operating system version number.

The three games are Sonic Dash, which has been downloaded from Google Play 100 to 500 million times and Sonic the Hedgehog Classic and Sonic Dash 2: Sonic Book, both of which have been installed via the Play Store 10 to 50 million times.

Moreover, Pradeo reports that the three apps contain an average of 15 OWASP (Open Web Application Security Project) vulnerabilities. This includes two critical flaws, X.509TrustManager and PotentiallyByPassSslConnection, that make device owners susceptible to man-in-the-middle attacks, as a result of unsafe implementations that ignore SSL certificate validation errors when establishing an HTTPS connection to a remote host. "An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection," explains Pradeo in the company blog post.

Others can be exploited to cause a denial of service conditions, leaks of sensitive data, and weak encryption, the blog post continues.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.