FireEye on its blog says that even after a slew of reports and complaints against Rovio for this kind of information sharing, Rovio continues to share personal information. As of today, FireEye says that more than a quarter billion users who create Rovio accounts to save their game progress across multiple devices might be unwittingly sharing all kinds of information like age, gender etc., with multiple parties for profit.
โOnce a Rovio account is created and personal information uploaded, the user can do little to stop this personal information sharing,โ says the FireEye blog in the analysis. โTheir data might be in multiple locations: Angry Birds Cloud, Burstly (ad mediation platform), and third-party ad networks such as Jumptap and Millennial Media. Users can avoid sharing personal data by playing Angry Birds without Rovio account, but that wonโt stop the game from sharing device information.โ
If you look at the plain truth you did understand what FireEye is saying. 2 billion and counting downloads of various Angry Birds games all over the world, Rovio has a minefield of information which can be damning in wrong hands. The FireEye researchers analysed the different versions of Angry Birds and found that multiple versions of the game can share personal information in clear text, including email, address, age and gender.
Most users create Rovio accounts to save game progress and scores for getting into the global leaderboard. But in the same registration process, the FireEye says that the App also captures users birthdays, email address and gender. And if you think your are protected against such kind of information theft, the Rovio’s end-use license agreement (EULA) and privacy policy grant the publisher, the rights to upload the collected information to third-party entities for marketing.
Further if user also signs up for the Rovio newsletter, then the user’s first and last name, email address, date of birth, country of residence and gender are captured. This information is aggregated with the userโs Rovio account profile by matching the playerโs email address. This is then sold of the marketer for profit.
โAngry Birds collects userโs personal information and associates with customer id before storing it in the smart phone storage,โ researchers noted. โThen the Burstly ad library embedded in Angry Birds fetches the customer id, uploads the corresponding personal information to the Burstly cloud, and transmits it to other advertising clouds. We have caught such traffics in the network packet captures and the corresponding code paths in the reversed engineered source code.โ
The Traffic flow of information from Rovio is given below
Angry Birds uses native code called libAngryBird.so to access storage and help the ad libraries store logs, caches, database, configuration files, and AES-encrypted game data. For users with a Rovio account, this data includes the userโs personal information in clear text or easily decrypted formats. For example, some information is stored in clear text in the web view cache called webviewCacheChromium:
{โaccountIdโ:โAC3XXXโฆXXXA62Bโ,โaccountExtRefโ:โhEโฆfDcโ,โpersonalโ:{โfirstNameโ:null,โlastNameโ:null,โbirthdayโ:โ19XXXXX-01?, โageโ:โ30?, โgenderโ:โFEMALEโ, โcountryโ:โUnited Statesโ , โcountryCodeโ:โUSโ, โmarketingConsentโ:false, โavatarIdโ:โAVXXXโฆXXX2cโ,โimageAssetsโ:[…], โnickNameโ:null}, โabidโ:{โemailโ:โeXXXโฆ[email protected]โ, โisConfirmedโ:false}, โphoneNumberโ:null, โfacebookโ:{โfacebookIdโ:โ”,โemailโ:โ”},โsocialNetworksโ:[]}
The device is given a universal id 1XXXX8, which is stored in the webviewCookiesChromium database in clear text:
cu1XXXX8|{โnameโ:โcu1XXXX8โ,โvalueโ:โ3%2XXXโฆXXX6+PMโ}|13XXXโฆXXX1
The id โ1XXXX8? labels the personal information when uploaded by the ad mediation platform. Then the information is passed to ad clouds.
1. The initial traffic captures in the PCap shows what kind of information Angry Birds uploads to Burstly:
HTTP/1.1 200 OK
Cache-Control: private
Date: Thu, 06 Mar 2014 XX:XX:XX GMT
Server: Microsoft-IIS/7.5
ServerName: P-ADS-OR-WEBC #22
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-ReqTime: 0
Content-Length: 0
Connection: keep-alive
POST /Services/PubAd.svc/GetSingleAdPlacement HTTP/1.1
Content-type: text/json; charset=utf-8
User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Content-Length: 1690
Host: neptune.appads.com
Connection: Keep-Alive
{โdataโ:{โIdโ:โ8XXX5?,โacceptLanguageโ:โenโ,โadPoolโ:0,โandroidIdโ:โu1XXXโฆXXXugโ,โbundleIdโ: โcom.rovio.angrybirdsโ,โฆ,โcookieโ:[{“name”:”cu1XXX8″,”value”:”3XXX6+PM”},{“name”:”vw”,”value”:”ref=1XXX2&dgi=,eL,default,GFW”},{“name”:”lc”,”value”:”1XXX8″},{“name”:”iuXXXg”,”value”:”x”},{“name”:”cuXXX8″,”value”:”3%2XXXPM”},{“name”:”fXXXg”,”value”:”ref=1XXX712&crXXX8=2,1&crXXX8=,1″}], โcrParmsโ:โage=30,androidstore=โcom.android.vendingโ, customer=โgoogleplayโ, gender=โFEMALEโ, version=โ4.1.0?โ, โdebugFlagsโ:0, โdeviceIdโ:โaXXXโฆXXXdโ, โencDevIdโ:โxXXXโฆ.XXXs=โ, โencMACโ:โiXXXโฆXXXg=โ, โipAddressโ:โ”,โmacโ:โ1XXXโฆXXX9?, โnoTrackโ:0,โplacementโ:โ”, โpubTargetingโ:โage=30, androidstore=โcom.android.vendingโ, customer=โgoogleplayโ, gender=โFEMALEโ, version=โ4.1.0?โ,โrvCRโ:โ”, โtypeโ:โiqโ,โuserAgentInfoโ:{โBuildโ:โ1.35.0.50370?, โBuildIDโ:โ323?, โCarrierโ:โ”,โDensityโ:โHighโ, โDeviceโ:โAscendY300?, โDeviceFamilyโ:โHuaweiโ, โMCCโ:โ0?,โMNCโ:โ0?,โฆ
We can see the information transmitted to neptune.appads.com includes gender, age, android id, device id, mac address, device type, etc. In another PCap in which Angry Birds sends POST to the same host name, the IP address is transmitted too:
HTTP/1.1 200 OK
โฆ
POST /Services/v1/SdkConfiguration/Get HTTP/1.1
โฆ
Host: neptune.appads.com
โฆ
IpAddressโ:โfXXXโฆXXX9%eth0?,โฆ
According to whois records, the registrant organization of neptune.appads.com is Burstly, Inc. Therefore, the aforementioned information is actually transmitted to Burstly. It Both PCaps contain the keyword โcrParms.โ This keyword is also used in the source code to put personal information into a map sent as a payload.
Skyrocket.com is an app monetization service provided by Burstly. The following PCap shows that Angry Birds retrieves the customer ID from Skyrocket.com through an HTTP GET request:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Thu, 06 Mar 2014 07:12:25 GMT
Server: Microsoft-IIS/7.5
ServerName: P-ADS-OR-WEBA #5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-ReqTime: 2
X-Stats: geo-0
Content-Length: 9606
Connection: keep-alive
GET /7โฆ.4/ad/image/1โฆc.jpg HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Host: cdn.skyrocketapp.com
Connection: Keep-Alive
{โtypeโ:โipโ,โIdโ:โ9XXX8?,โฆโdataโ:[{“imageUrl”:”https://cdn.skyrocketapp.com/79…2c.jpg”,”adType”:{“width”:300, “height”:250, “extendedProperty”:80}, “dataType”: 64, “textAdType”:0,”destType”:1,”destParms”:””,”cookie”:[{“name”:”fXXXg”, “value”: “ref=1XXX2&cr1XXX8=2,1&cr1XXX8=1&aoXXX8=”, “path”:”/”, “domain”: “neptune.appads.com”, “expires”:”Sat, 05 Apr 2014 XXX GMT”, “maxage”: 2โฆ0}, {“name”:”vw”,”value”:”ref=1XXX2&…},…,”cbi”:”https://bs.serving-sys.com/Burstin…25&rtu=-1″,”cbia”:[“https://bsโฆ.”:1,”expires”:60},…”color”:{“bg”:”0โฆ0″}, “isInterstitial”:1}
2. In this PCap, the ad is fetched by including the customer id 1XXX8 into the HTTP POST request to jumptap.com, i.e. Millennial Media:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Thu, XX Mar 2014 XX:XX:XX GMT
Server: Microsoft-IIS/7.5
ServerName: P-ADS-OR-WEBC #17
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-ReqTime: 475
X-Stats: geo-0;rcf88626-255;rcf75152-218
Content-Length: 2537
Connection: keep-alive
GET /img/1547/1XXX2.jpg HTTP/1.1
Host: i.jumptap.com
Connection: keep-alive
Referer: https://bar/
X-Requested-With: com.rovio.angrybirds
User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7
{“type”:”ip”,”Id”:”8XXX5″,”width”:320,”height”:50,”cookie”:[],โdataโ:[{“data”:”<!– AdPlacement : banner_ingame_burstlyโฆ”,”adType”:{“width”:320, “height”:50, “extendedProperty”:2064 },”dataType”:1, “textAdType”:0, “destType”:10, “destParms”:””, “cookie”:[{“name”:”…”, “value”:”ref=…&cr1XXX8=4,1&cr1XXX8=2,1″, “path”:”/”, “domain”:”neptune.appads.com”, “expires”:”Sat, 0X Apr 2014 0X:XX:XX GMT”, “maxage”:2XXX0}, {“name”:”vw”,…, “crid”:7XXX2, “aoid”:3XXX3, “iTrkData”:”…”, “clkData”:”…”,”feedName”:”Nexage”}]}
In this pcap, the advertisement is retrieved from jumptap.com. We can use the same customer id โ1XXXX8โ to easily track the PCap of different ad libraries.
3. For example, in another PCap from turn.com, customer id remains the same:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Thu, 06 Mar 2014 07:30:54 GMT
Server: Microsoft-IIS/7.5
ServerName: P-ADS-OR-WEBB #6
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-ReqTime: 273
X-Stats: geo-0;rcf88626-272
Content-Length: 4714
Connection: keep-alive
GET /server/ads.js?pub=24โฆ
PvctPFq&acp=0.51 HTTP/1.1
Host: ad.turn.com
Connection: keep-alive
Referer: https://bar/
Accept: */*
X-Requested-With: com.rovio.angrybirds
User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7
{โtypeโ:โipโ,โIdโ:โ0โฆbโ,โwidthโ:320,โheightโ:50,โcookieโ:[],โdataโ:[{“data”:”<!– AdPlacement : banner_ingame_burstly –> “https://burstly.ads.nexage.com:80…” destParms”:””, “cookie”:[{“name”:”f…g”, “value”:”ref=1…0&cr1XXXX8=k,1&cr…8=i, 1″,”path”:”/”, “domain”:”neptune.appads.com”, “expires”:”Sat, 0X Apr 2014 0X:XX:XX
Earlier in month of September, 2013, reacting to news reports that Rovio had shared private user information with NSA and GCHQ under the world snooping programs, it had stated categorically that “does not share data, collaborate or collude with any government spy agencies such as NSA or GCHQ anywhere in the world.” Now that too seems like a bitter truth which the Angry Birds users will have to swallow in order to kill the bad piggies.
Resource : FireEye Blog