When it comes to mobile app security within the Apple App Store and the Google PlayStore (Android), the two differ vastly based on one factor—third-party downloads.
Apple users know all too well that if it’s not in the App Store, you’re not getting the app. Apple’s App Store Review Guidelines are in place to help “provide a safe experience for users to get apps and a great opportunity for all developers to be successful.”
The company accomplishes this “by offering a highly curated App Store where every app is reviewed by experts and an editorial team [who] helps users discover new apps every day. For everything else there is always the open Internet.”
Unfortunately, the same cannot be said for Android, which is known for being a more “open-source” operating system, allowing users to (at their own risk) download apps from third-party developers. This is done by toggling a switch in a user’s privacy settings.
And as Android users are finding out, this freedom comes with consequences, for both themselves and those third-party app developers. On Monday, CNBC broke a story involving a major security flaw involving a number of mobile apps on the Android operating system that impacts both Twitter and Facebook users.
Twitter and Facebook confirmed in a blog post that millions of users may have had their personal information compromised by malicious software hidden in third-party apps—including, but not limited to names, genders, emails, usernames, and potentially user’s last tweets.
Ironically, this story comes as Facebook, Google, and Twitter are all in the legal hot seat with regulators and lawmakers surrounding its data collection methods. But this is one of those times that we can’t assign blame to Facebook or Twitter.
“We recently received a report about a malicious mobile software development kit (SDK) maintained by oneAudience,” Twitter announced in its post on Monday.
“The issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK.”Twitter
As the blog post reads on, Twitter did confirm that it had evidence that “this SDK was used to access people’s personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS.”
Twitter said it would be notifying those users who were affected, also informing Google and Apple about the vulnerability so they can be prepared and take necessary action.
“We think it’s important for people to be aware that this exists out there and that they review the apps that they use to connect to their accounts,” said Lindsay McCallum, a Twitter spokeswoman.
Well no shit—Apple keeps its App Store very structured with very strict guidelines for app developers to have their apps placed in the App Store.
For Android users, this shouldn’t be all that much of a shock, as that is the risk you take with open-source software or toggling off the default security setting that prohibits downloads from “unauthorized third-party developers.”
Unfortunately, Twitter couldn’t confirm whether the actual purpose of the app was to take control over a user’s account, but according to Twitter, “it is possible that a person could do so.”
Contained within the app, is an SDK that could “exploit a vulnerability in the mobile ecosystem” to expose users’ personal data to third-party developers.
In the CNBC report, Twitter and Facebook identified Giant Square and Photofy as two of the mobile apps involved.
But the issue isn’t isolated to Twitter users—Facebook users were similarly affected by the malicious SDK in oneAudience’s mobile app and MobiBurn:
“Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.”Facebook
Immediately following its statement, Facebook announced its immediate removal of both apps from its platform for violating its platform policies.
“After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn,” a Facebook spokesperson said in their statement to CNBC.”
“[Both] were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores.”
Facebook will also notify potentially affected users, which the company estimates to be around 9.5 million people.
What does oneAudience Have to Say?
According to the company’s privacy statement released on Monday:
“Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our oneAudience platform. This data was never intended to be collected, never added to our database and never used.
We proactively updated our SDK to make sure that this information could not be collected on November 13, 2019. We then pushed the new version of the SDK to our developer partners and required that they update to this new version.
We believe that consumers should have the opportunity to choose who they share their data with and in what context.
Today, we are shutting down the oneAudience SDK.”
As for MobiBurn’s statement, the company blames the third-party companies—shocker.
No data from Facebook is collected, shared or monetised by MobiBurn. MobiBurn primarily acts as an intermediary in the data business with its bundle, i.e., a collection of SDKs developed by third-party data monetisation companies. MobiBurn has no access to any data collected by mobile application developers nor does MobiBurn process or store such data. MobiBurn only facilitates the process by introducing mobile application developers to the data monetisation companies.
Further attempts at locating the company’s official statements resulted in 404 Page Errors:
Convenient, but sounds about right.
After Facebook issued its cease and desist letter, both companies have discontinued their respective SDKs, which are no longer available for download.
So, rule of thumb:
- Stop downloading apps “off-the store!” They’re third-party for a reason;
- Clean up your phone apps and re-enable privacy protections with respect to mobile app downloads; and
- Android should take some serious lessons from Apple’s mobile app development team