Shazam Android Application - Unencrypted Third Party Analytics Overview "Shazam is one of the worldas most popular apps, used by hundreds of millions of people each month to instantly identify music thatas playing and see what others are discovering. All for free." (https://play.google.com/store/apps/details?id=com.shazam.android) Issue The Shazam Android application (version 8.3.1-180206 and below) sends potentially sensitive information such as mobile carrier, install date and time, number of app launches, device model, Android version and screen resolution, unencrypted to a third party site (ScorecardResearch). Impact An attacker who can monitor network traffic could capture potentially sensitive information about the user's usage of the app and Android device without their knowledge. Timeline December 16, 2017 - Notified Shazam via security@shazam.com January 9, 2018 - Provided the details to Apple via product-security@apple.com January 12, 2018 - Apple asked for additional information January 17, 2018 - Apple provided the details to the Shazam security team February 7, 2018 - Asked Apple if they were able to confirm the issue February 12, 2018 - Apple advised that the Shazam security team had taken over the investigation February 12, 2018 - Thanked Apple for coordinating with the Shazam security team February 14, 2018 - Shazam provided information about their privacy policy and how they collect analytics February 14, 2018 - Provided additional information to Shazam about how analytics information is sent unencrypted March 5, 2018 - Shazam provided an update on their plan to address the issue March 19, 2018 - Shazam advised that version 8.4.1-180315 is available which sends analytics data to ScorecardResearch over an encrypted connection April 9, 2018 - Published an advisory to document the issue Solution Upgrade to version 8.4.1-180315 or later