Official Sonic Apps Leak Data to Unverified Servers

Posted by Roxane Suau on January 18, 2018

Pradeo’s Lab discovered that some game applications in the Google Play published by SEGA, the famous video games developer and publisher, access and leak users’ geolocation and device data. Hundreds of millions of users are concerned by these data privacy violations.

 sega-apps-google-play.png

 

The affected android apps are the following ones:

  • Sonic Dash - 100 to 500 millions downloads
  • Sonic the Hedgehog™ Classic - 10 to 50 millions downloads
  • Sonic Dash 2: Sonic Boom - 10 to 50 millions downloads

 

By analyzing the aforementioned apps, we identified these common facts:

  • The 3 Apps geolocate users and relay their position
  • The 3 Apps leak device data
  • Data are sent to an average of 11 distant servers including 3 uncertified ones
  • The 3 Apps feature an average of 15 OWASP vulnerabilities

 

Data privacy violations

Lately, the Pradeo Lab noticed an increase in the amount of official apps fooling their users into giving them access to data they don’t actually need. In most of the cases, when installing an app from Google Play, users accept permissions without giving a second thought. As a result, publishers collect private information about their clients, such as geolocation, device data, users data (gallery, contact lists, browser history, SMS…), etc.

In this case, the 3 SEGA apps collect and leak geolocation and device data to several distant servers, including suspicious ones.

 

Data sent to uncertified servers

Among the distant servers reached by the affected SEGA apps when sending data, we can see that most have a tracking and marketing purpose. However, what caught Pradeo’s researchers attention is the fact that these apps are sending information to 3 uncertified servers which represent a potential threat.

 

Several critical OWASP vulnerabilities

Among the vulnerabilities detected in the analyzed SEGA apps, we identified two critical ones that make them highly vulnerable to Man-In-The-Middle attacks (X.509TrustManager and PotentiallyByPassSslConnection). The other OWASP vulnerabilities detected can result in denial of service, sensitive data leakage and clearly show encryption weaknesses.

 


 

Apps ID:

Sonic Dash Package: com.sega.sonicdash - SHA1 : d7fc33843fab48666bafb85392e2d1cd4f116e6b

Sonic the Hedgehog™ Classic Package: com.sega.sonic1px - SHA1 : 0b1b33cdbc71ff07e6a76a9b425e534a64a005c9

Sonic Dash 2: Sonic Boom Package: com.sega.sonicboomandroid - SHA1 : a54fadc572e9ef12d07dd61230d41fcbe3f24e17

 

Leaked data:

- Geolocation

- Mobile network information: Service provider name, network type (3G, 4G, UMTS…)

- Device information: Manufacturer, commercial name -e.g.:Nexus 4), Battery level, Maximum level of battery, Operating System version number

 

OWASP vulnerabilities detected: 

BROADCAST-ACTIVITY The vulnerability gives permission to other applications to bypass some security access, to give direct access to potentially sensitive data.

BROADCAST-SERVICE

The vulnerability gives permission to other applications the power to start or bind the application's service. Using the flaw can lead to sensitive information leakage towards malicious apps or result in denial of service.

BROADCST-RECEIVER

The vulnerability gives permission to other applications to send malicious intent to the application. Acting on receipt of intent without validating the caller's identity may lead to sensitive data being revealed or to denial of service.

URLCANONICALISATION

Makes easier for another application to access your application data (file). Depending on the implementation of Content Provider, use of the method can lead to a directory traversal vulnerability.
LOG

Applications should make sure that they do not send sensitive information to log output.

IMPLICIT-INTENT

A malicious activity or service can intercept an implicit intent and be started instead of the intended activity or service. This could result in the interception of data or in a denial of service.

X.509TRUSTMANAGER

Unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.

POTENTIALLY_BYPASS 

SSL_CONNECTION

The implementation bypasses all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection

D_ROOTCHECK

This App may have root detection capabilities.

D_WEBVIEWDEBUG

Remote WebView debugging is enabled.

D_SQLITE

App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database.

D_EXTSTORAGE

App can read/write to External Storage. Any App can read data written to External Storage.

D_TMPFILE

App creates temp file. Sensitive information should never be written into a temp file.

D_JSENABLED

Insecure WebView Implementation. Execution of user controlled code in WebView is a critical Security Hole.

SQLC_PASSWORD

This App uses SQL Cipher. But the secret may be hardcoded.

D_CON_WORLD_READABLE

The file is World Readable. Any App can read from the file.

WORLD-READABLE

It should not be possible for other apps to be able to access this data, or for the data to be accessible to other programs or people, if the data owner does not intend that.

ECB

The App uses ECB mode in Cryptographic encryption algorithm. ECB mode is known to be weak as it results in the same ciphertext for identical blocks of plaintext.

Topics: Security Alert, Mobile Application Security, Expertise