Shady Sonic Apps Put More Than 120 Million at Risk

There are plenty of fake apps in the Google Play store that can wreak havoc on your privacy, but this is another story.

Sonic Dash, Sonic the Hedgehog Classic and Sonic Dash 2: Sonic Boom all track much more user information than they need to, and may be leaking said information to shady third parties. Collectively, these games boast more than 120 million downloads, meaning that millions of Android users could face a hedgehog-induced security risk.

Credit: Sega

(Image credit: Sega)

Information comes from Pradeo, a Paris-based corporate security firm. Pradeo wanted to draw attention to the dangers inherent in downloading the games, of course, but its secondary message is clear enough: If bad security practices can happen to a huge company like Sega, they can almost certainly happen to yours, as well.

MORE: Activate Google’s Two-Factor Authentication

The problems with the apps are pretty straightforward. If you want to pass the time with your favorite blazing blue hedgehog during your commute, you’ll also give it permission to access your location. Leaving aside the question of why a non-augmented-reality game needs your location in the first place, Pradeo found that all three apps communicate user locations to 11 different servers — including three that aren’t certified. Two of those three servers use an Android/Inmobi.D protocol, which most antivirus programs pick up as an adware distributor.

Moreover, Pradeo discovered 15 Open Web Application Security Project (OWASP) vulnerabilities, which could lead to “denial of service [and] sensitive data leakage,” the company’s report said, in addition to man-in-the-middle attacks and weaknesses in an app’s encrypted data transmission. The bottom line is that the vulnerabilities are mild, and there’s probably no one exploiting them — but they’re totally unnecessary, and shouldn’t have made it into a high-profile app to begin with.

Sega is currently looking into the issue and should have a fix ready soon, according to ZDNet's correspondence with the company. Luckily, there’s a solution for most users in the meantime. Android users (6.0 and higher) can individually enable or disable permissions in their settings. (Tap Settings, Apps, the Sonic app in question, Permissions.) The games will still work even if you disable permissions for locations, contacts and storage, so you can still play the game without worrying about Sega leaking your personal details.