Facebook and Twitter have announced that personal data related to hundreds of users may have been improperly accessed after users logged into third-party Android apps with their social media accounts. According to a report by CNBC, users of Android apps that made use of a software development kit (SDK) named oneAudience may have unwittingly shared information such as their email addresses, usernames and recent tweets. CNBC says that amongst the offending Android apps are the photo-editing tools Giant Square and Photofy. Presently there is no indication that iOS users are affected by the issue. According to an advisory published by Twitter, data extracted from accounts via the use of the oneAudience SDK (which it describes as "malicious") in a smartphone app could be used to take control of a Twitter account, although it has seen no evidence that this has occurred. Twitter was keen to emphasise that the "issue is not due to a vulnerability in Twitter's software, but rather the lack of isolation between SDKs within an application," and says it will be notifying users of the Twitter for Android app who may have been affected. Furthermore, Twitter says it has "informed Google and Apple about the malicious SDK so they can take further action if needed." I presume what they mean by that is that so Google and Apple can kick any offending apps out of their respective app stores. In response, oneAudience has issued a statement claiming the "data was never intended to be collected, never added to [its] database and never used." According to the company, it "proactively" updated its SDK in mid-November so user data could not be collected, and asked developer partners to update to the new version. However, it has now announced it is shutting down the offending SDK.
Facebook meanwhile has issued a statement saying that it is taking action against not only the oneAudience SDK, but also an SDK from marketing company MobiBurn:
"Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores." "After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts."
On its website, MobiBurn describes how it helps app developers generate revenue - not by placing more ads within an app, but through the "monetization of your applications' valuable data in a safe and confidential way." However, in light of the revelations and action taken by Facebook and Twitter, MobiBurn says it has "stopped all its activities" until investigations are complete.
This is all very well and good, but what are users supposed to do to protect themselves? When they install an app, they have no way of knowing whether the developers chose to make use of a malicious SDK which might leave personal information exposed. All you can realistically do is exercise restraint regarding which third-party apps you connect to your social media profiles. The fewer apps you connect to your Facebook and Twitter, the smaller the chance that someone's code will be abusing that connection to access information you would rather not share.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
