- Feb 4, 2016
- 2,520
SAN FRANCISCO – Millions of apps leak personal identifiable information such as name, age, income and possibly even phone numbers and email addresses. At fault are app developers who do not protect ad-targeting data transmitted to third-party advertisers.
“The scale of what we first thought was just specific cases of careless application design is overwhelming,” said Roman Unuchek, security researcher, Kaspersky Lab, who introduced his research here at the RSA Conference on Tuesday. “Millions of applications include third party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices.”
Data sent unencrypted over HTTP can be collected by cybercriminals that share the same Wi-Fi network, or by an ISP or even by malware installed on a target’s home router, researchers said.
Not only can unprotected data be collected, but it can also be intercepted by a cybercriminal who can modify it to show malicious ads, enticing users to download a trojan application, which turn out to be malware, according to Unuchek.
Kaspersky said the origin of the problem can be traced back to the use of predefined and reused SDKs tied to popular advertising networks and used by app developers to save time. An analysis of these predefined SDKs by Kaspersky show many are flawed because they send unprotected user-profile data between the app and the advertisers’ servers. Compounding the problem, the SDK code has been used in millions of apps by developers.