Three Sonic the Hedgehog games for Android devices that collectively have been downloaded well over a hundred million times are leaking users' geolocation and device data to uncertified servers, thereby posing a privacy threat to mobile gamers, according to researchers.
An 18 January blog post from the research lab of mobile security company Pradeo states that the apps "geolocate users and relay their position," "leak device data," and "send data to an average of 11 distant servers, including three uncertified ones." While most of the distant servers are used for legit tracking and marketing purposes, two of the three uncertified servers are linked to a variant of Android/Inmobi.D, which Symantec Corporation recognises as a potential unwanted library app that is found bundled with certain Android applications.
In addition to geolocation data, the apps reportedly can also leak mobile network information such as service provider name and network type, and device information including manufacturer, commercial name, battery level, maximum level of battery, and operating system version number.
The three games are Sonic Dash, which has been downloaded from Google Play 100 to 500 million times and Sonic the Hedgehog Classic and Sonic Dash 2: Sonic Book, both of which have been installed via the Play Store 10 to 50 million times.
Moreover, Pradeo reports that the three apps contain an average of 15 OWASP (Open Web Application Security Project) vulnerabilities. This includes two critical flaws, X.509TrustManager and PotentiallyByPassSslConnection, that make device owners susceptible to man-in-the-middle attacks, as a result of unsafe implementations that ignore SSL certificate validation errors when establishing an HTTPS connection to a remote host. "An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection," explains Pradeo in the company blog post.
Others can be exploited to cause a denial of service conditions, leaks of sensitive data, and weak encryption, the blog post continues.