Popular Sonic the Hedgehog official game apps are accessing and leaking users’ geolocation and device data.
Pradeo Lab discovered that the affected apps – Sonic Dash, Sonic the Hedgehog Classic and Sonic Dash 2: Sonic Boom – feature an average of 15 OWASP vulnerabilities each and send data to about 11 distant servers, including suspicious ones.
“Lately, the Pradeo Lab noticed an increase in the amount of official apps fooling their users into giving them access to data they don’t actually need,” the company explained in a blog. “In most of the cases, when installing an app from Google Play, users accept permissions without giving a second thought. As a result, publishers collect private information about their clients, such as geolocation, device data, user data (gallery, contact lists, browser history, SMS…), etc.”
Among the vulnerabilities detected, Pradeo identified two critical bugs that make the apps highly vulnerable to man-in-the-middle (MITM) attacks. The other OWASP vulnerabilities detected can result in denial of service, sensitive data leakage and clearly show encryption weaknesses.
For instance, an unsafe implementation of the interface X509TrustManager ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making the app vulnerable to MITM attacks.
“An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection,” the firm said. It added, “An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.”
The flaws overall give permission for a range of tasks, including permission for other applications to bypass some security access to give direct access to potentially sensitive data, permission for other applications to start or bind the application's service (which can lead to sensitive information leaking to malicious apps or to a denial of service) and another application being given access application data.
As for the distant servers reached by the affected SEGA apps, most have a tracking and marketing purpose. However, three of them are uncertified servers, and two are hosting a variant of the Android/Inmobi.D malware.
Users should be wary of the apps from game giant SEGA until updates are issued.