Security Company Claims Official Sonic Mobile Games Leak Data

Last year, Sega made efforts to strengthen it’s position as a mobile game publisher with the launch of Sega Forever and the release of Sonic Forces: Speed Battle as well as a number of other non Sonic titles which saw a re-release onto mobile platforms.

Well… Some rather alarming claims have been made by a security company Pradeo who after performing a number of tests on Sega’s mobiles apps hosted on the Google Play store discovered that they had on average 15 security breaches per game and were also leaking users data.

It’s not all Sega games which are affected. Based on the report it’s only Sonic titles… they are as follows.

  • Sonic Dash 1.
  • Sonic Dash 2.
  • Sonic the Hedgehog.

Some of the issues the report highlights are as follows.

  • The 3 Apps geolocate users and relay their position.
  • The 3 Apps leak device data.
  • Data are sent to an average of 11 distant servers including 3 uncertified ones.
  • The 3 Apps feature an average of 15 OWASP vulnerabilities.

Now some of these might be explained away, e.g. the geolocate data could be used for marketing and promotional purposes e.g. if a user is playing in a region which has a promotion running, show adverts for that promotion.

However, there are still some major problems that this report brings to light, mainly that the games are according to Pradeo’s team “are sending information to 3 uncertified servers of which 2 are a variant of Android/Inmobi.D, and represent a potential threat.

You can read the full report on Pradeo’s website which goes into more detail on the security flaws and concerns that their team found.

Sega has since responded and said that they are investigating the claims.

Source: Pradeo Security

4 Comments

  1. Based upon my own casual observances of the games’ save data and the libraries which they use, I can believe that what Pradeo reports is completely true. It actually is a bit frightening seeing all of the tracking and analytics libraries and services which Sonic Dash 1 & 2 use.

    1. The requested permissions alone should make you realize something is not right.

      Sonic The Hedgehog 2 Classic (NOT affected) asks for:
      In-app purchases
      Wifi info

      Sonic Dash (AFFECTED) asks for:
      In-app purchases
      Wifi info
      Location
      Identity
      Device and app history
      Storage (photos, media, files)
      Device ID/info

  2. To give a bit of background:
    OWASP is the Open Web Application Security Project (https://www.owasp.org), and their main focus is analysing the state of the Web, identifying the various security issues that exist, examining how prevalent they are, and raising awareness of the importance of designing Web software to be secure by default. In other words, if your app or website has an issue on their Top 10 list, you done goofed big-time.

    On an unrelated note:
    “Data are sent”
    It’s so refreshing to see someone recognise that ‘data’ is plural 😀

Comments are closed.