Malicious Android SDKs Caught Accessing Facebook and Twitter Users Data
Two third-party software development kits integrated by over hundreds of thousands of Android apps have been caught holding unauthorized access to users' data associated with their connected social media accounts.
In a blog post published yesterday, Twitter revealed that an SDK developed by OneAudience contains a privacy-violating component which may have passed some of its users' personal data to the OneAudience servers.
Following Twitter's disclosure, Facebook today released a statement revealing that an SDK from another company, Mobiburn, is also under investigation for a similar malicious activity that might have exposed its users connected with certain Android apps to data collection firms.
Both OneAudience and Mobiburn are data monetization services that pay developers to integrate their SDKs into the apps, which then collect users' behavioral data and then use it with advertisers for targeted marketing.
In general, third-party software development kits used for advertisement purposes are not supposed to have access to your personally identifiable information, account password, or secret access tokens generated during 'Login with Facebook' or 'Login with Twitter' process.
However, reportedly, both malicious SDKs contain the ability to stealthy and unauthorizedly harvest this personal data, which you otherwise had only authorized app developers to access from your Twitter or Facebook accounts.
"This issue is not due to a vulnerability in Twitter's software, but rather the lack of isolation between SDKs within an application," Twitter clarified while revealing about the data collection incident.
So, the range of exposed data is based upon the level of access affected users had provided while connecting their social media accounts to the vulnerable apps.
This data usually includes users' email addresses, usernames, photos, tweets, as well as secret access tokens that could have been misused to take control of your connected social media accounts.
"While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so," Twitter said.
"We have evidence that this SDK was used to access people's personal data for at least some Twitter account holders using Android; however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS."
Twitter has also informed Google and Apple about the malicious SDKs and suggested users to simply avoid downloading apps from third-party app stores and periodically review authorized apps.
Meanwhile, in a statement provided to CNBC, Facebook confirmed that it had already removed the apps from its platform for violating its policies and issued cease and desist letters against both One Audience and Mobiburn.
"Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores," Facebook said.
In response to this, OneAudience announced to shut down its SDK and also provided a statement saying, "this data was never intended to be collected, never added to our database and never used."
"We proactively updated our SDK to make sure that this information could not be collected on November 13, 2019. We then pushed the new version of the SDK to our developer partners and required that they update to this new version," OneAudience said.
Both social media companies are now planning to shortly inform their users who may have been impacted by this issue.