At RSA Conference 2018, a Kaspersky Lab researcher showed how software development kits for popular ad networks…
can cause data leaks in many mobile apps. What type of user data is being exposed, and how are the SDKs causing these leaks?
Companies building mobile applications, like any modern software application, use third-party libraries and software development kits (SDKs) to accelerate the development process. According to the software composition analysis in WhiteHat Security’s “2017 Application Security Statistics Report,” around 90% of an application’s code is from open source and third-party libraries.
SDKs, with a set of tools, libraries, code samples and documentation, enable developers to create software applications for a specific platform or operating system. They provide easy access to the core features of a platform without the developer having to repeatedly build that functionality themselves. This means adding features such as social media integration, data analytics, push notifications, payments and ad services can be added to an application in minutes instead of months.
While SDKs and other third-party components make life easier for development teams, they can become almost a single point of failure, as a security vulnerability in a popular SDK or library will be replicated in every application that uses it. For example, a critical security vulnerability was recently discovered in the highly popular open source content management framework Drupal that put around a million sites at risk, along with millions of users.
What’s more, further security vulnerabilities can be introduced when developers use SDKs if they don’t fully understand or take the time to learn how to implement certain functions securely. Roman Unuchek, a security researcher at Kaspersky Lab, found that millions of applications using third-party SDKs tied to popular advertising networks are putting users’ private data at risk as they fail to protect ad targeting data transmitted by apps to third-party advertisers.
SDKs from digital advertising marketplaces make it easy for developers to start monetizing their applications, often providing everything developers need to serve advertising to their audiences, from understanding user behavior to displaying ads and measuring their results. In order to serve targeted ads to an application’s users, the app needs to send data about each user to the digital advertising marketplace to be analyzed so the appropriate ads can be sent back.
Unuchek found 4 million Android apps were sending unencrypted user profile data, such as names, ages, incomes, phone numbers and email addresses — and, in one example, dates of birth, usernames and GPS coordinates — over HTTP from the app to the advertisers’ servers. Data sent unencrypted over HTTP can be collected by cybercriminals that share the same Wi-Fi network, or by malware installed on a home router. This data can also be modified to show malicious ads and can be leveraged for other attack vectors.
Although many apps were using HTTPS to communicate with their own servers, Unuchek found that requests to third-party ad servers were often unencrypted HTTP requests. Careless application design is definitely the cause in many instances, but most of the popular apps were exposing user data because of how the SDK that was used to develop the app implements certain functionality.
For example, a popular SDK can send requests over HTTPS but, according to Unuchek, developers rarely bothered to change the default setting from HTTP to HTTPS. Other SDKs don’t even offer a way for developers to switch from HTTP to HTTPS, and one even forces the use of a hardcoded HTTP URL.
Before an app is released, it should be tested to ensure all the network requests travel over HTTPS. In addition, developers should take the time to understand how the components and tools they use can affect the security of their users’ data instead of just copying and pasting code without fully understanding the use case.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)