Advertising Software Development Kit (SDK): serving up more than just in-app ads and logging sensitive data. [Research Saturday]

CyberWire Daily

N2K Networks, Inc.

Daily News, Tech News, News, Technology

4.6 • 1K Ratings

🗓️ 19 December 2020

⏱️ 25 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

On August 24, 2020, Snyk announced the discovery of suspicious behaviors in the iOS version of a popular advertising SDK known as Mintegral. At that time, they had confirmed with partners in the advertising attribution space that at minimum, Mintegral appeared to be using this functionality to gather large amounts of data and commit ad attribution fraud. Their research showed that Mintegral was using code obfuscation and method swizzling to modify the functionality of base iOS SDK methods without the application owner’s knowledge. Further, their research proved that Mintegral was logging all HTTP requests including its headers which could even contain authorization tokens or other sensitive data. Since that time Mintegral announced that they were opening the source of their SDK to the market. While the SDK can only be downloaded by registered partners, a major game publisher shared the source code with Snyk for further analysis. They also continued their research by digging deeper into the Android versions of the SDK in which they hadn’t found similar behaviors at the time of the initial disclosure. This has resulted in some significant discoveries that necessitate an update to the previous disclosure. Additionally, Mintegral and the community at large have responded to the situation, and Snyk felt a summary of the events was a good way to finalize their research into this SDK. Joining us on Research Saturday to discuss their research is Snyk's Alyssa Miller. The original blog and Snyk's update can be found here: SourMint: malicious code, ad fraud, and data leak in iOS SourMint: iOS remote code execution, Android findings, and community response

Transcript

Click on a timestamp to play from that location

0:00.0	You're listening to the CyberWire Network, powered by N2K.
0:07.0	Today's episode is sponsored by SRM, your first call for cybersecurity and
0:18.1	investigations. Threats today are evolving faster than ever before and since 2005 SRM has pioneered
0:25.3	tailored security solutions for global corporations and their executives.
0:29.5	Whether it's defending against cyber attacks with their award-winning team of ethical hackers and incident response specialists,
0:36.4	or navigating the murky waters of compliance and ESG challenges,
0:40.9	SRMs, Insight and Straight straightforward advice will help you navigate complex risks
0:46.4	and emerge more resilient.
0:48.4	Their secret, a culture that nurtures the sharpest minds, giving them access to the newest technologies and the freedom
0:55.3	to solve problems in new ways, enabling them to craft simple effective solutions for your
1:01.4	unique cyber challenges.
1:03.7	Search your first call to discover how SRM can help your business. Hello everyone and welcome to the CyberWire's research Saturday.
1:25.0	I'm Dave Bitner and this is our weekly conversation with researchers and analysts
1:29.0	tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly
1:35.2	evolving cyberspace.
1:37.3	Thanks for joining us.
1:38.3	So we actually had a partner reach out to us and they actually asked for our help because they were seeing they wanted us to help them just research some weird behaviors they were seen related to this particular
1:54.4	SDK. That's Alyssa Miller. She's an application security advocate at
1:59.4	Sneeek. The research we're discussing today is titled Sourmint,
2:04.0	IOS remote code execution, Android findings and community response. You can sense to glory.
2:15.0	feel it in your bones.
2:17.0	Is this discarded something?
	...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from N2K Networks, Inc., and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of N2K Networks, Inc. and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.