The Google Cardboard Android and iOS applications (Android version 1.8, iOS version 1.2 and below) sends potentially sensitive information such as OS, CPU architecture, graphics chip vendor and version, CPU count, RAM, VRAM, screen size, device make and model, unencrypted to a third party site (Unity 3D Stats).
90bd446dbfb72bbe575551b017929885https://www.info-sec.ca/advisories/Google-Cardboard.html
Google Cardboard Android & iOS Applications - Unencrypted Third Party
Analytics
Overview
"Cardboard puts virtual reality on your smartphone. The Cardboard app
helps you launch your favorite VR experiences, discover new apps, and
set up a viewer."
(https://play.google.com/store/apps/details?id=com.google.samples.apps.cardboarddemo)
(https://itunes.apple.com/us/app/google-cardboard/id987962261)
Issue
The Google Cardboard Android & iOS applications (Android version 1.8,
iOS version 1.2 and below) sends potentially sensitive information such
as OS, CPU architecture, graphics chip vendor & version, CPU count, RAM,
VRAM, screen size, device make and model, unencrypted to a third party
site (Unity 3D Stats).
Impact
An attacker who can monitor network traffic could capture potentially
sensitive information about the user's device without their knowledge.
Timeline
May 9, 2017 - Notified Google of the issue
May 9, 2017 - Google sent an auto acknowledgment
May 10, 2017 - Google responded stating that they are investigating
May 18, 2017 - Asked for an update
May 19, 2017 - Google acknowledged the issue
June 6, 2017 - Google provided the information to their development team
June 6, 2017 - Provided additional information to Google about the
privacy considerations
June 8, 2017 - Google advised that they are working on the issue
July 5, 2017 - Asked for an update
July 6, 2017 - Google provided an update
July 20, 2017 - Asked for an update
July 24, 2017 - Google advised that they expect the applications will be
updated in 2-4 months
November 20, 2017 - Asked whether the release is on schedule
November 24, 2017 - Google provided an update
December 13, 2017 - Asked for an update
December 14, 2017 - Google provided an update
May 28, 2018 - Asked for an update
June 8, 2018 - Google provided an update
August 24, 2018 - Notified Google of a planned disclosure date of
November 1, 2018
Solution
The Google Cardboard Android & iOS applications as of November 1, 2018
are affected.