Advertising Software Development Kit (SDK): serving up more than just in-app ads and logging sensitive data. [Research Saturday]

On August 24, 2020, Snyk announced the discovery of suspicious behaviors in the iOS version of a popular advertising SDK known as Mintegral. Mintegral was found to be using code obfuscation and method swizzling to modify the functionality of base iOS SDK methods without the application owner's knowledge. Mintegral was also logging all HTTP requests, including headers that could contain authorization tokens or other sensitive data. Since the initial disclosure, Mintegral announced that they were opening the source of their SDK to the market. A major game publisher shared the source code with Snyk for further analysis, leading to significant discoveries. Snyk also continued their research by digging deeper into the Android versions of the SDK, where they hadn't found similar behaviors initially. This research resulted in additional findings that necessitated an update to the previous disclosure. Mintegral and the community at large have responded to the situation, and Snyk summarized the events to finalize their research into this SDK. The original blog and Snyk's update can be found on their website.