Google Cardboard Android & iOS Applications - Unencrypted Third Party Analytics (CVE-2018-19111)

Overview

"Cardboard puts virtual reality on your smartphone. The Cardboard app helps you launch your favorite VR experiences, discover new apps, and set up a viewer."

(https://play.google.com/store/apps/details?id=com.google.samples.apps.cardboarddemo)
(https://itunes.apple.com/us/app/google-cardboard/id987962261)

Issue

The Google Cardboard Android & iOS applications (Android version 1.8, iOS version 1.2 and below) sends potentially sensitive information such as OS, CPU architecture, graphics chip vendor & version, CPU count, RAM, VRAM, screen size, device make and model, unencrypted to a third party site (Unity 3D Stats).

Impact

An attacker who can monitor network traffic could capture potentially sensitive information about the user's device without their knowledge.

Timeline

May 9, 2017 - Notified Google of the issue
May 9, 2017 - Google sent an auto acknowledgment
May 10, 2017 - Google responded stating that they are investigating
May 18, 2017 - Asked for an update
May 19, 2017 - Google acknowledged the issue
June 6, 2017 - Google provided the information to their development team
June 6, 2017 - Provided additional information to Google about the privacy considerations
June 8, 2017 - Google advised that they are working on the issue
July 5, 2017 - Asked for an update
July 6, 2017 - Google provided an update
July 20, 2017 - Asked for an update
July 24, 2017 - Google advised that they expect the applications will be updated in 2-4 months
November 20, 2017 - Asked whether the release is on schedule
November 24, 2017 - Google provided an update
December 13, 2017 - Asked for an update
December 14, 2017 - Google provided an update
May 28, 2018 - Asked for an update
June 8, 2018 - Google provided an update
August 24, 2018 - Notified Google of a planned disclosure date of November 1, 2018

Solution

The Google Cardboard Android & iOS applications as of November 1, 2018 are affected.

CVE-ID:

CVE-2018-19111

Questions?

Contact Information

Info-Sec.CA