Widely popular, Angry Birds, the seemingly innocent game where you shoot birds into towers to defeat little green pigs, may not be so innocent after all. While you launch the birds at towers, Angry Birds is launching your data at advertisers worldwide.
Many mobile applications are known to be insecure, and the NSA has been caught invading mobile games to spy on peoples private life. While this may be a privacy intrusion, it can be fixed seemingly easily. But while the NSA is utilizing their precious time backdooring mobile applications for data, Rovio is selling it, FireEye reports.
Data hungry applications are not much of a new concept, data hungry applications were begin reported on just last year in mid October. Again with ties to the National Security Agency. Reports made it to news networks ranging from ProPublica, to U.K. Newspaper, to the Guardian, and even to the 60 minutes television show.
The Android version of the popular Angry Birds in the Google Play store continues to share personal information. Over 250,000 users who create Rovio accounts save their game progress, and play across multiple devices. While the user is simply saving game data, their personal data is unknowingly sold. Shared information includes users age, gender, addresse, and much more with various third parties. Even users who don’t save their game data with a Rovio account are sharing personal information information without realizing it.
Once a user registers a Rovio account, and identifies themselves entering personal information, little can be done to stop that data from begin shared. The data can reside in multiple places including: Angry Birds Cloud, Burstly (ad media platform), and third-party ad networks such as Jumptap and Millennial Media, FireEye reported. Users can avoid sharing personal data by playing the Angry Birds game without a Rovio account, but that does not stop the game from sharing device information to third parties.
To start the investigation, FireEye had to determine which version of Angry Birds were sharing personal information. Researchers found multiple versions of Angry Birds transmitted person data in plain text including email addresses, home addresses, ages, and gender.
“Angry Birds data management service, ‘ad-x.co.uk,’ shares information in the penultimate version of the game (V4.0.0), which was offered in the Google Play store through March 4.” researchers state. Media reportes have stated only older versions of Angry Birds affect user data, but FireEye reported finding multiple updated versions of Angry Birds game, even the latest update to “classic” version 4.1.0, to be indeed part of the data selling regime. With over 2 billion downloads Angry Birds affects a handful of users globally.
What information is begin shared?
Angry Birds encourages the gamers to create a Rovio account. If an account is created you will get special in game features such as game syncing abilities, and weapons.
If users accept to create an account a small popup asking the gamers date of birth pops up, when hitting next users are prompted to input their email address, and lastly input a password. Angry Birds also offers an additional newsletter you can sign up for, included in sign up is your gender and country of residence.
The above picture shows how Angry birds and the ad cloud distribute user data.
First FireEye concerns what type of information is transmitted into the advertisement library. The above photo shows where information flows among Angry Birds data, the data flows between Angry Birds Cloud, Burstly (the ad network), and the multiple cloud based ad services combined.
The Burstly network Angry Birds is using allows numerous third parties to be integrated into the service, initially targeting users to show “relevant” advertisements. On top of the integration, Burstly uses an average HTTP unsecured connection to communicate with advertisement networks.
FireEye shows the full report of the data, networks, and how everything communicates along with packets and leaked data here!
Overall Angry Birds collects a lot of personal information on its users. The Burstly ad networks associate ID’s, with data, with ad networks, and unprotected traffic networks communicate that data back and forth. Threat assessments have been done on mobile apps such as Angry Birds in the past. It appears most mobile threats can be cured by securing connections with HTTPS, and choosing which ad networks and analytic programs are used to collect and serve data. While it is unsure where the data will reside (as ad networks can sell that data beyond what researchers find), it is sure mobile games are an increasing threat to consumer privacy.