Sonic the Hedgehog accused of leaking Android users’ data

Spiky-haired Sonic’s security called into question.

Graham Cluley
Graham Cluley
@[email protected]

Sonic the Hedgehog accused of leaking Android users' data

At the end of last week, mobile security researchers at Pradeo claimed that some of Sega’s official Sonic the Hedgehog games in the Google Play store were leaking information – including players’ location and device data.

The Android apps in question are:

  • “Sonic Dash” (which according to Google Play has been downloaded between 100-500 million times)
  • “Sonic Dash 2: Sonic Boom” (10-50 million downloads)
  • “Sonic the Hedgehog Classic” (10-50 million downloads)

The sensitive information collected by the apps was said to have been sent to “suspicious” servers, associated with a variant of a Inmobi.D – a potentially unwanted ad library embedded within thousands of Android apps.

Sign up to our free newsletter.
Security news, advice, and tips.

An obvious concern is what is what is happening to the sensitive data from a player’s Android device after it is transmitted to a third-party server. Are the servers themselves vulnerable to access by unauthorised parties.

Aside from concerns that the Sega games were collecting a disturbing amount of information, Pradeo also claimed that on average each app contained 15 vulnerabilities, some of which it described as critical:

“Among the vulnerabilities detected in the analyzed SEGA apps, we identified two critical ones that make them highly vulnerable to Man-In-The-Middle attacks (X.509TrustManager and PotentiallyByPassSslConnection). The other OWASP vulnerabilities detected can result in denial of service, sensitive data leakage and clearly show encryption weaknesses.”

For its part, Sega has told ZDNet that it is investigating the claims:

“Sega works diligently to address any technical issues that could compromise customer data.”

“If any third-party partners are collecting, transmitting, or using data in a manner that is not permitted by our agreement with the third party or Sega’s mobile privacy policy, prompt corrective action will be taken.”

It’s very easy to fall into an “Android vs iOS: Which is better for security?” argument, but such debates ignore the truth that the big security issue on smartphones is not the operating system, but rather the apps.

A smartphone app can be poorly coded and might store information insecurely, may exhibit weaknesses in its encryption algorithms, send your username and password insecurely in plaintext to a remote server, or could be designed to scoop up your personal information in order to make it easier for third-party companies to target you with advertising.

Even if an app is coded competently, that’s no guarantee that any data it shares with its developer is handled competently or isn’t shared with third parties who don’t treat security as a priority.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.