JAPANESE GAMING OUTFIT Sega has said it's 'investigating' claims that its Sonic games for Android are leaking user data to dodgy servers.
Security firm Pradeo Lab said last week that it a trio of Sonic games - Sonic Dash, which has been downloaded between 100 to 500 million times, and Sonic the Hedgehog Classic and Sonic Dash 2: Sonic Boom, both of which have been installed between 10 to 50 million times - have been leaking users' geolocation and device data.
Pradeo's research shows that the three Android apps "geolocate users and relay their position," "leak device data," and "send data to an average of 11 distant servers."
While the majority of these have a legitimate tracking and marketing purpose, three of the servers are uncertified, and two are linked to a variant of 'Android/Inmobi.D', which Symantec claims is an unwanted advertisement library that comes bundled with certain Android applications.
In addition to geolocation data, the three Sonic apps are also said to be leaking mobile network information such as service provider name and network type, and device information including manufacturer, battery level, the maximum level of battery, and operating system version number.
As if that wasn't bad enough considering the app shave been downloaded from Google Play up to 550 million times, Pradeo warns that the three apps contain 15 Open Web Application Security Project (OWASP) flaws.
"Among the vulnerabilities detected in the analyzed Sega apps, we identified two critical ones that make them highly vulnerable to Man-In-The-Middle attacks (X.509TrustManager and PotentiallyByPassSslConnection)," Pradeo said.
"The other OWASP vulnerabilities detected can result in denial of service, sensitive data leakage and clearly show encryption weaknesses."
In a statement given to ZDNet, Sega has said it's looking into the vulnerabilities and will take "prompt corrective action".
"Sega works diligently to address any technical issues that could compromise customer data," a spokesperson for the company said.
A surprisingly busy week in a quiet month
Measures just 15.75mm at its thickest point
Firm expects GPU sales to start drying up