Google Cardboard Android / iOS Applications Information Disclosure

2018.11.02
Credit: David Coomber
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

https://www.info-sec.ca/advisories/Google-Cardboard.html Google Cardboard Android & iOS Applications - Unencrypted Third Party Analytics Overview "Cardboard puts virtual reality on your smartphone. The Cardboard app helps you launch your favorite VR experiences, discover new apps, and set up a viewer." (https://play.google.com/store/apps/details?id=com.google.samples.apps.cardboarddemo) (https://itunes.apple.com/us/app/google-cardboard/id987962261) Issue The Google Cardboard Android & iOS applications (Android version 1.8, iOS version 1.2 and below) sends potentially sensitive information such as OS, CPU architecture, graphics chip vendor & version, CPU count, RAM, VRAM, screen size, device make and model, unencrypted to a third party site (Unity 3D Stats). Impact An attacker who can monitor network traffic could capture potentially sensitive information about the user's device without their knowledge. Timeline May 9, 2017 - Notified Google of the issue May 9, 2017 - Google sent an auto acknowledgment May 10, 2017 - Google responded stating that they are investigating May 18, 2017 - Asked for an update May 19, 2017 - Google acknowledged the issue June 6, 2017 - Google provided the information to their development team June 6, 2017 - Provided additional information to Google about the privacy considerations June 8, 2017 - Google advised that they are working on the issue July 5, 2017 - Asked for an update July 6, 2017 - Google provided an update July 20, 2017 - Asked for an update July 24, 2017 - Google advised that they expect the applications will be updated in 2-4 months November 20, 2017 - Asked whether the release is on schedule November 24, 2017 - Google provided an update December 13, 2017 - Asked for an update December 14, 2017 - Google provided an update May 28, 2018 - Asked for an update June 8, 2018 - Google provided an update August 24, 2018 - Notified Google of a planned disclosure date of November 1, 2018 Solution The Google Cardboard Android & iOS applications as of November 1, 2018 are affected.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top