Google Cardboard Android / iOS Applications Information Disclosure

The Google Cardboard Android and iOS applications (Android version 1.8, iOS version 1.2 and below) sends potentially sensitive information such as OS, CPU architecture, graphics chip vendor and version, CPU count, RAM, VRAM, screen size, device make and model, unencrypted to a third party site (Unity 3D Stats).


MD5 | 90bd446dbfb72bbe575551b017929885

https://www.info-sec.ca/advisories/Google-Cardboard.html

Google Cardboard Android & iOS Applications - Unencrypted Third Party
Analytics

Overview

"Cardboard puts virtual reality on your smartphone. The Cardboard app
helps you launch your favorite VR experiences, discover new apps, and
set up a viewer."

(https://play.google.com/store/apps/details?id=com.google.samples.apps.cardboarddemo)
(https://itunes.apple.com/us/app/google-cardboard/id987962261)

Issue

The Google Cardboard Android & iOS applications (Android version 1.8,
iOS version 1.2 and below) sends potentially sensitive information such
as OS, CPU architecture, graphics chip vendor & version, CPU count, RAM,
VRAM, screen size, device make and model, unencrypted to a third party
site (Unity 3D Stats).

Impact

An attacker who can monitor network traffic could capture potentially
sensitive information about the user's device without their knowledge.

Timeline

May 9, 2017 - Notified Google of the issue
May 9, 2017 - Google sent an auto acknowledgment
May 10, 2017 - Google responded stating that they are investigating
May 18, 2017 - Asked for an update
May 19, 2017 - Google acknowledged the issue
June 6, 2017 - Google provided the information to their development team
June 6, 2017 - Provided additional information to Google about the
privacy considerations
June 8, 2017 - Google advised that they are working on the issue
July 5, 2017 - Asked for an update
July 6, 2017 - Google provided an update
July 20, 2017 - Asked for an update
July 24, 2017 - Google advised that they expect the applications will be
updated in 2-4 months
November 20, 2017 - Asked whether the release is on schedule
November 24, 2017 - Google provided an update
December 13, 2017 - Asked for an update
December 14, 2017 - Google provided an update
May 28, 2018 - Asked for an update
June 8, 2018 - Google provided an update
August 24, 2018 - Notified Google of a planned disclosure date of
November 1, 2018

Solution

The Google Cardboard Android & iOS applications as of November 1, 2018
are affected.

Related Posts