Facebook and Twitter said that some third-party applications have obtained users’ personal information without their consent. These third-party iOS and Android applications use malicious SDKs. The SDK is used to display ads, but experts have noted that once these applications are used to log social network users into any service, the SDK silently accesses their profile and collects information, including usernames, email addresses, and tweets. These malicious SDKs were developed by the marketing company OneAudience.
“We recently received a report about a malicious mobile software development kit (SDK) maintained by oneAudience. This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK.”
Even if experts did not find evidence that a malicious SDK would be used to control Twitter accounts, they still did not rule out the possibility that hackers might use the SDK to attack. Twitter knows that the malicious SDK has accessed the personal data of certain Twitter accounts through Android devices, but no similar incident has occurred on iOS devices. Twitter reported the incident to Google and Apple and other peers and called for corresponding measures to block malicious SDKs and applications containing their code.
Facebook found two SDKs with similar goals, One Audience and Mobiburn. The malicious SDK allegedly collected profile information, including name, gender, and email address. A Facebook spokesperson told The Register:
“Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.”
oneAudience did not comment on the incident, but at the same time, MobiBurn issued a statement denying that it was collecting Facebook data and announced an investigation into third-party applications using its SDK.
“No data from Facebook is collected, shared or monetised by MobiBurn,” reads the statement. “MobiBurn primarily acts as an intermediary in the data business with its bundle, i.e., a collection of SDKs developed by third-party data monetisation companies. MobiBurn has no access to any data collected by mobile application developers nor does MobiBurn process or store such data. MobiBurn only facilitates the process by introducing mobile application developers to the data monetisation companies. This notwithstanding, MobiBurn stopped all its activities until our investigation on third parties is finalised.”