At the end of last week, mobile security researchers at Pradeo claimed that some of Sega’s official Sonic the Hedgehog games in the Google Play store were leaking information – including players’ location and device data.
The Android apps in question are:
- “Sonic Dash” (which according to Google Play has been downloaded between 100-500 million times)
- “Sonic Dash 2: Sonic Boom” (10-50 million downloads)
- “Sonic the Hedgehog Classic” (10-50 million downloads)
The sensitive information collected by the apps was said to have been sent to “suspicious” servers, associated with a variant of a Inmobi.D – a potentially unwanted ad library embedded within thousands of Android apps.
An obvious concern is what is what is happening to the sensitive data from a player’s Android device after it is transmitted to a third-party server. Are the servers themselves vulnerable to access by unauthorised parties.
Aside from concerns that the Sega games were collecting a disturbing amount of information, Pradeo also claimed that on average each app contained 15 vulnerabilities, some of which it described as critical:
“Among the vulnerabilities detected in the analyzed SEGA apps, we identified two critical ones that make them highly vulnerable to Man-In-The-Middle attacks (X.509TrustManager and PotentiallyByPassSslConnection). The other OWASP vulnerabilities detected can result in denial of service, sensitive data leakage and clearly show encryption weaknesses.”
For its part, Sega has told ZDNet that it is investigating the claims:
“Sega works diligently to address any technical issues that could compromise customer data.”
It’s very easy to fall into an “Android vs iOS: Which is better for security?” argument, but such debates ignore the truth that the big security issue on smartphones is not the operating system, but rather the apps.
A smartphone app can be poorly coded and might store information insecurely, may exhibit weaknesses in its encryption algorithms, send your username and password insecurely in plaintext to a remote server, or could be designed to scoop up your personal information in order to make it easier for third-party companies to target you with advertising.
Even if an app is coded competently, that’s no guarantee that any data it shares with its developer is handled competently or isn’t shared with third parties who don’t treat security as a priority.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.