Security Company Claims Official Sonic Mobile Games Leak Data

Last year, Sega made efforts to strengthen it’s position as a mobile game publisher with the launch of Sega Forever and the release of Sonic Forces: Speed Battle as well as a number of other non Sonic titles which saw a re-release onto mobile platforms.

Well… Some rather alarming claims have been made by a security company Pradeo who after performing a number of tests on Sega’s mobiles apps hosted on the Google Play store discovered that they had on average 15 security breaches per game and were also leaking users data.

It’s not all Sega games which are affected. Based on the report it’s only Sonic titles… they are as follows.

  • Sonic Dash 1.
  • Sonic Dash 2.
  • Sonic the Hedgehog.

Some of the issues the report highlights are as follows.

  • The 3 Apps geolocate users and relay their position.
  • The 3 Apps leak device data.
  • Data are sent to an average of 11 distant servers including 3 uncertified ones.
  • The 3 Apps feature an average of 15 OWASP vulnerabilities.

Now some of these might be explained away, e.g. the geolocate data could be used for marketing and promotional purposes e.g. if a user is playing in a region which has a promotion running, show adverts for that promotion.

However, there are still some major problems that this report brings to light, mainly that the games are according to Pradeo’s team “are sending information to 3 uncertified servers of which 2 are a variant of Android/Inmobi.D, and represent a potential threat.

You can read the full report on Pradeo’s website which goes into more detail on the security flaws and concerns that their team found.

Sega has since responded and said that they are investigating the claims.

Source: Pradeo Security