A number of popular mobile applications are transmitting unencrypted user data due to the use of insecure advertising Software Development Kits (SDKs).
Advertising is critical to many online and app-based services. Without advertising in free versions, developers miss out on crucial revenue which is required for support and improvements.
An easy way to integrate advertising into mobile applications is through the use of SDKs. These development tools, often free and offered by third-parties, can collect user information to display relevant and targeted ads -- but non-secure SDKs can impact the security of applications which use them.
On Tuesday, Kaspersky Lab researchers presented an investigation[1] into insecure SDKs at the RSA Conference in San Francisco.
The researchers said that while analyzing a number of popular dating applications, they discovered that some of the apps in question transmit unencrypted user data over the HTTP protocol due to poorly-secured SDKs.
"They collect user data so they can show relevant ads, but often fail to protect that data when sending it to their servers," says Roman Unuchek, Kaspersky Lab security researcher.
HTTP is far less secure than HTTPS as transmitted information is not encrypted. By transmitting user data over HTTP for ad targeting, these apps are potentially exposing user information to abuse, theft, eavesdropping, and Man-in-The-Middle (MITM) attacks, among other attacks.
"The intercepted data can be modified, meaning the application will show malicious ads instead of legitimate ones," the researchers said. "Users will then be enticed to download a promoted application, which will turn out to be malware, putting them at risk."
According to Kaspersky, the apps involved included some with millions of installations worldwide.
HTTPS was in use when apps were communicating with their servers, but at the same time,