Two third-party SDKs allowed secret harvesting of Twitter and Facebook user data

OneAudience and MobiBurn discontinue their respective SDKs after another data collection scandal breaks out on Monday.

social apps twitter facebook

Image: efekurnaz

Facebook and Twitter are investigating a report from security researchers about two third-party software development kits (SDKs) that allowed app makers to access and collect user data without authorization.

An SDK is a software library that app developers embed in their code to automate certain operations, and spare themselves from writing that specific code by hand and losing precious time.

SDKs are very popular in the modern app development ecosystem, but using an SDK also implies surrendering some of your app's control to a third-party entity.

Twitter issue

On Monday, November 25, Twitter disclosed that they've received a report about an SDK made by data analytics platform OneAudience. The company offers a mobile SDK for Android and iOS apps that collects data on an app's users to provide additional insights for app makers about their audience.

Twitter said the company's SDK contained features allowing it to harvest personal user information from a Twitter account without authorization.

"This issue is not due to a vulnerability in Twitter's software, but rather the lack of isolation between SDKs within an application," Twitter explained.

What this means is that when users installed a mobile app on their device and then used the Login with Twitter feature to log into that app, the SDK present in the app also secretly harvested information about that Twitter profile.

The social network said it had "evidence that this SDK was used to access people's personal data." Collected information included email, username, and last tweet. A CNBC report suggested two of the apps where this data collection behavior was spotted were Giant Square and Photofy.

Twitter didn't say how many users were impacted, but said that only Android users were affected, having no evidence that the data collection occurred from within iOS apps.

The social networking giant said it notified both Google and Apple about the SDK's secret user data harvesting capabilities, so the two app store owners can take their own action against apps using the OneAudience SDK.

Facebook issue

The same issue also impacted Facebook, but the user data harvesting functions were spotted in two SDKs -- the first was the same OneAudience SDK, while the second was an SDK from data monetization platform MobiBurn.

The data collection behavior worked in a similar way as above. If users linked a third-party app with their Facebook account, features in the two SDKs allowed for secret user data harvesting.

From Facebook accounts, the two SDKs could have surreptitiously collected data such as name, email, and gender, Facebook said.

"After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn," a Facebook spokesperson said in a statement to CNBC, which broke the story yesterday.

Just like Twitter, Facebook said it's planning to notify "people whose information we believe was likely shared after they had granted these apps permission to access their profile information."

SDK makers respond

After the news broke yesterday, both SDK makers posted messages on their websites claiming they only provided the tools but were not involved in the data collection in any way -- shifting blame to the mobile app developers who abused their SDKs.

OneAudience statement:

Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our oneAudience platform. This data was never intended to be collected, never added to our database and never used. We proactively updated our SDK to make sure that this information could not be collected on November 13, 2019. We then pushed the new version of the SDK to our developer partners and required that they update to this new version.

MobiBurn statement:

No data from Facebook is collected, shared or monetised by MobiBurn. MobiBurn primarily acts as an intermediary in the data business with its bundle, i.e., a collection of SDKs developed by third-party data monetisation companies. MobiBurn has no access to any data collected by mobile application developers nor does MobiBurn process or store such data. MobiBurn only facilitates the process by introducing mobile application developers to the data monetisation companies.

Following Facebook's cease and desist letter, the two companies have discontinued their respective SDKs, which are no longer available for download.

mobiburn-statement.png