Shazam on Android versions 8.3.1-180206 and below disclose potentially sensitive information to third party analytics.
e48086085f3d65188de31f424f0becbcShazam Android Application - Unencrypted Third Party Analytics
Overview
"Shazam is one of the worldas most popular apps, used by hundreds of millions of people each month to instantly identify music thatas playing and see what others are discovering. All for free."
(https://play.google.com/store/apps/details?id=com.shazam.android)
Issue
The Shazam Android application (version 8.3.1-180206 and below) sends potentially sensitive information such as mobile carrier, install date and time, number of app launches, device model, Android version and screen resolution, unencrypted to a third party site (ScorecardResearch).
Impact
An attacker who can monitor network traffic could capture potentially sensitive information about the user's usage of the app and Android device without their knowledge.
Timeline
December 16, 2017 - Notified Shazam via [email protected]
January 9, 2018 - Provided the details to Apple via [email protected]
January 12, 2018 - Apple asked for additional information
January 17, 2018 - Apple provided the details to the Shazam security team
February 7, 2018 - Asked Apple if they were able to confirm the issue
February 12, 2018 - Apple advised that the Shazam security team had taken over the investigation
February 12, 2018 - Thanked Apple for coordinating with the Shazam security team
February 14, 2018 - Shazam provided information about their privacy policy and how they collect analytics
February 14, 2018 - Provided additional information to Shazam about how analytics information is sent unencrypted
March 5, 2018 - Shazam provided an update on their plan to address the issue
March 19, 2018 - Shazam advised that version 8.4.1-180315 is available which sends analytics data to ScorecardResearch over an encrypted connection
April 9, 2018 - Published an advisory to document the issue
Solution
Upgrade to version 8.4.1-180315 or later