Millions of Users’ Unencrypted Location Data Being Shared with Twitter-Owned MoPub
BOSTON, Oct. 26, 2020 — Close to 10 million app users’ location data is exposed to an array of cyber attacks due to Twitter’s failure to protect unencrypted data transmissions, the International Digital Accountability Council (IDAC) revealed.
Twitter has been aware of this issue since the global cybersecurity company Kaspersky released a 2018 report detailing how over three million Android application packages were found transmitting unencrypted data over the Internet.
IDAC technologists observed seven apps sending users’ unencrypted GPS location data to a Twitter-owned MoPub’s servers.
Twitter’s MoPub provides monetization solutions for global mobile app publishers and developers. Founded in 2010, MoPub helps mobile app developers improve user experience and increase ad generated revenue. MoPub’s clients include large gaming companies, such as Zynga, the creator of popular online games such as Words with Friends 2 and Farmville.
“Platforms have a responsibility to protect user’s data and the fact that millions of users have been open to cyber attacks since 2018 only enhances the demand for swift actions by platforms,” said IDAC President Quentin Palfrey.
Apps using the MoPub software development kit (SDK) that have not updated to the current version continue to use older versions of the protocol—confirming that Twitter continues to support an unsecured mechanism of sending precise GPS location information for potentially millions of current app installations.
The seven apps found sending unencrypted user data to MoPub’s servers are:
- Beach Cricket (5 million installs, last updated 2016)
- Yellow Pages (1 million installs, last updated 2018)
- Game Booster – Speed Up Phone (1 million installs, last updated 2016)
- Baby Care – track baby growth! (1 million installs, last updated 2020)
- Blue Light Filter for Eye Care (500,000 installs, last updated 2016)
- Ringtone Maker & MP3 Cutter (100,000 installs, last updated 2017)
- Compass & Spirit Level (5,000 installs, last updated 2017)
“We think there is a pretty simple solution here for Twitter – turn off the offending ports on the receiving end. But, Twitter also needs to continue its dialog with developers, encouraging them to update their software if they want to continue to use the service,” said Palfrey following Twitter’s response to a recent VICE article covering the issue.
Launched in April 2020, IDAC is led by an experienced team of lawyers, technologists, and privacy experts with a shared goal of improving digital accountability through investigation, education, and collaboration. As a nonprofit watchdog, IDAC investigates misconduct in the digital ecosystem and works with developers and platforms to remediate privacy risks and restore consumer trust.