Two third-party software development kits integrated by over hundreds of thousands of Android apps have been caught holding unauthorized access to users’ data associated with their connected social media accounts.
In a blog post published yesterday, Twitter revealed that an SDK developed by OneAudience contains a privacy-violating component which may have passed some of its users’ personal data to the OneAudience servers.
Following Twitter’s disclosure, Facebook today released a statement revealing that an SDK from another company, Mobiburn, is also under investigation for a similar malicious activity that might have exposed its users connected with certain Android apps to data collection firms.
Both OneAudience and Mobiburn are data monetization services that pay developers to integrate their SDKs into the apps, which then collect users’ behavioral data and then use it with advertisers for targeted marketing.
In general, third-party software development kits are not supposed to have access to your personally identifiable information, account password, or secret access tokens generated during ‘Login with Facebook’ or ‘Login with Twitter’ process.
However, reportedly, both malicious SDKs contain the ability to stealthy and unauthorizedly harvest this personal data, which you otherwise had only authorized app developers to access from your Twitter or Facebook accounts.
So, the range of exposed data is based upon the level of access affected users had provided while connecting their social media accounts to the vulnerable apps.
This data usually includes users’ email addresses, usernames, photos, tweets, as well as secret access tokens that could have been misused to take control of your connected social media accounts.
Twitter has also informed Google and Apple about the malicious SDKs and suggested users to simply avoid downloading apps from third-party app stores and periodically review authorized apps.
Meanwhile, in a statement provided to CNBC, Facebook confirmed that it had already removed the apps from its platform for violating its policies and issued cease and desist letters against both One Audience and Mobiburn.
In response to this, OneAudience announced to shut down its SDK and also provided a statement saying, “this data was never intended to be collected, never added to our database and never used.”
Both social media companies are now planning to shortly inform their users who may have been impacted by this issue.