Pradeo’s Lab discovered that some game applications in the Google Play published by SEGA, the famous video games developer and publisher, access and leak users’ geolocation and device data. Hundreds of millions of users are concerned by these data privacy violations.

The affected android apps are the following ones:

Sonic Dash - 100 to 500 millions downloads

- 100 to 500 millions downloads Sonic the Hedgehog™ Classic - 10 to 50 millions downloads

- 10 to 50 millions downloads Sonic Dash 2: Sonic Boom - 10 to 50 millions downloads

By analyzing the aforementioned apps, we identified these common facts:

The 3 Apps geolocate users and relay their position

The 3 Apps leak device data

Data are sent to an average of 11 distant servers including 3 uncertified ones

The 3 Apps feature an average of 15 OWASP vulnerabilities

Data privacy violations

Lately, the Pradeo Lab noticed an increase in the amount of official apps fooling their users into giving them access to data they don’t actually need. In most of the cases, when installing an app from Google Play, users accept permissions without giving a second thought. As a result, publishers collect private information about their clients, such as geolocation, device data, users data (gallery, contact lists, browser history, SMS…), etc.

In this case, the 3 SEGA apps collect and leak geolocation and device data to several distant servers, including suspicious ones.

Data sent to uncertified servers

Among the distant servers reached by the affected SEGA apps when sending data, we can see that most have a tracking and marketing purpose. However, what caught Pradeo’s researchers attention is the fact that these apps are sending information to 3 uncertified servers which represent a potential threat.

Several critical OWASP vulnerabilities

Among the vulnerabilities detected in the analyzed SEGA apps, we identified two critical ones that make them highly vulnerable to Man-In-The-Middle attacks (X.509TrustManager and PotentiallyByPassSslConnection). The other OWASP vulnerabilities detected can result in denial of service, sensitive data leakage and clearly show encryption weaknesses.

Apps ID:

Sonic Dash - Package: com.sega.sonicdash - SHA1 : d7fc33843fab48666bafb85392e2d1cd4f116e6b

Sonic the Hedgehog™ Classic - Package: com.sega.sonic1px - SHA1 : 0b1b33cdbc71ff07e6a76a9b425e534a64a005c9

Sonic Dash 2: Sonic Boom - Package: com.sega.sonicboomandroid - SHA1 : a54fadc572e9ef12d07dd61230d41fcbe3f24e17

Leaked data:

- Geolocation

- Mobile network information: Service provider name, network type (3G, 4G, UMTS…)

- Device information: Manufacturer, commercial name -e.g.:Nexus 4), Battery level, Maximum level of battery, Operating System version number

OWASP vulnerabilities detected: