Twitter-Owned SDK Leaking Location Data of Millions of Users

Researchers found several apps using an outdated version of an SDK made by Twitter-owned MoPub.
October 21, 2020, 1:00pm
Twitter logo
Image: John Nacion/SOPA Images/LightRocket via Getty Imagess

A series of popular apps using an outdated piece of code owned by Twitter are exposing their users' location data. In total, the apps have been downloaded nearly 10 million times.

The news highlights the continued role of software development kits (SDKs), small bundles of code that developers often add to their apps in order to generate revenue, as well as how granular location data can be exposed through sloppily implemented phone software.

"We became concerned that these transfers [of location data] might be unencrypted," Quentin Palfrey, president of the International Digital Accountability Council (IDAC), the group which identified the issue in several apps, told Motherboard in a phone call.

Do you know anything else about SDKs that are collecting location data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The IDAC is a non-profit organization geared towards uncovering misconduct in the digital ecosystem, according to its website. The organization includes lawyers, technologists, and privacy experts, and has previously found issues in fertility apps and other SDKs.

The technical issue itself in this new research revolves around MoPub, an SDK that lets developers monetize their apps by displaying ads. MoPub collects location information to try and deliver more relevant ads. Twitter owns MoPub.

In 2018, researchers from cybersecurity firm Kaspersky found that several SDKs transmitted data without encryption, including MoPub. IDAC's research finds several apps that include the MoPub SDK are sending sensitive location data without digital protections.

The apps include a game called Beach Cricket with over 5 million installs; two Yellow Pages phone book apps with a combined user base of over 2 million; a baby growth tracking app with 1 million users, and a few other apps with between 5,000 and 500,000 installations.

An updated version of the MoPub SDK which addresses the issue does exist, but these apps have not included that patched version. None of the app developers who include the unpatched version of the MoPub SDK in their apps responded to a request for comment.

"IDAC found that MoPub continues to support older versions of the protocol—confirming that Twitter continues to support an unsecured mechanism of sending precise GPS location information for potentially millions of current app installations," a press release from IDAC reads. Twitter told Motherboard it has deprecated all MoPub SDK versions earlier than 5.3.

"Certainly turning off the unencrypted, receiving endpoint would make a difference," Bobby Richter, a partner technologist at IDAC, said.

But Twitter told Motherboard that app developers themselves are able to modify the SDK and send unencrypted data if they choose to. And because the SDK itself is open source, Twitter and MoPub don’t have the technical means of stopping developers from choosing to send unprotected data.