https://www.info-sec.ca/advisories/Google-Cardboard.html
Google Cardboard Android & iOS Applications - Unencrypted Third Party
Analytics
Overview
"Cardboard puts virtual reality on your smartphone. The Cardboard app
helps you launch your favorite VR experiences, discover new apps, and
set up a viewer."
(https://play.google.com/store/apps/details?id=com.google.samples.apps.cardboarddemo)
(https://itunes.apple.com/us/app/google-cardboard/id987962261)
Issue
The Google Cardboard Android & iOS applications (Android version 1.8,
iOS version 1.2 and below) sends potentially sensitive information such
as OS, CPU architecture, graphics chip vendor & version, CPU count, RAM,
VRAM, screen size, device make and model, unencrypted to a third party
site (Unity 3D Stats).
Impact
An attacker who can monitor network traffic could capture potentially
sensitive information about the user's device without their knowledge.
Timeline
May 9, 2017 - Notified Google of the issue
May 9, 2017 - Google sent an auto acknowledgment
May 10, 2017 - Google responded stating that they are investigating
May 18, 2017 - Asked for an update
May 19, 2017 - Google acknowledged the issue
June 6, 2017 - Google provided the information to their development team
June 6, 2017 - Provided additional information to Google about the
privacy considerations
June 8, 2017 - Google advised that they are working on the issue
July 5, 2017 - Asked for an update
July 6, 2017 - Google provided an update
July 20, 2017 - Asked for an update
July 24, 2017 - Google advised that they expect the applications will be
updated in 2-4 months
November 20, 2017 - Asked whether the release is on schedule
November 24, 2017 - Google provided an update
December 13, 2017 - Asked for an update
December 14, 2017 - Google provided an update
May 28, 2018 - Asked for an update
June 8, 2018 - Google provided an update
August 24, 2018 - Notified Google of a planned disclosure date of
November 1, 2018
Solution
The Google Cardboard Android & iOS applications as of November 1, 2018
are affected.