Chinese SDK, Mintegral, Accused of Spying on IOS Users
China-based ad network, Mintegral, has been accused of spying on user activity and commiting ad fraud in more than a thousand IOS apps. Headquartered in Beijing, China, Mintegral is owned by another Chinese ad network, Mobvista. Centered around a malicious SDK, a software component that app developers can use to add functionality to their apps without having to code it themselves, the issue stems from how the SDK is distributed as a regular ad network, allowing developers can use to monetize their apps through ads. While the SDK does perform standard ad network functionality, it also performs ‘click attribution fraud’ and has capabilities to spy on the app’s user.
The main purpose of the malicious SDK is to make money, which it does by spying on what users do, specifically when they click on ads to install other apps. Since brands pay ad networks for successful mobile app installs, the Mintegral SDK would then quickly send out a fake click and “claim credit” for the app install, thus the charge of click attribution fraud. While the IOS operating system prevents malicious apps from spying on all of a user’s data stored on their phone, through apps being ‘sandboxed,’ the SDK can snoop on communication from impacted apps. Some of the information being collected and logged includes:
- OS Version
- IP Address
- Charging state
- Mintegral SDK Version
- Network type
- Model
- Package name
- IDFA
- URL
- Request headers
- Method name
- Class Name
- Backtrace data
On an interview with the TechFirst podcast, Danny Grander, cofounder and chief security officer at Snyk, the security company that discovered the malicious SDK had this to say:
“Developers can sign up as publishers and download the SDK from the Mintegral site. Once loaded, the SDK injects code into standard iOS functions within the application that execute when the application opens a URL, including App Store links, from within the app. This gives the SDK access to a significant amount of data and even potentially private user information. The SDK also specifically examines these open URL events to determine if a competitor’s ad network SDK was the source of the activity.”
For their part, Mintegral denies the allegations, claiming that their software fully complies with industry standards and any information collected is done through a publicly available OS-level Apple API. They claim that any data collected is then used to “select the most relevant advertisement when [their] ad network is called to fill an add request,” and that all actions taken are done with the purpose of identifying the most appropriate ad for a user.
Representatives from Apple claim that the company has spoken to security company, Snyk, and claims that there is no evidence that users have been harmed by the malicious SDK. Apple claims that this is another example of why the company is making privacy enhancements in their upcoming iOS 14, which will make the Apple identifier for advertisers (IDFA) ‘opt-in only,’ allowing people to access to more details about what data apps are collecting.
Some of the more popular apps affected by the malicious SDK are:
- Helic Jump
- Talking Tom
- PicsArt
- Subway Surfers
- Gardenscapes
Sources: