A recently patched security vulnerability in the EngageLab SDK, a widely used third-party Android software development kit for push notifications and analytics, has exposed approximately 50 million users to potential data theft and unauthorized access, including 30 million cryptocurrency wallet installs.
Overview
The EngageLab SDK, integrated into hundreds of popular Android applications, contained a critical flaw in its authentication mechanism that allowed attackers to intercept push notification tokens and hijack user sessions without requiring any user interaction.
Technical Details
- The SDK transmitted device tokens over unencrypted HTTP in specific network conditions
- Improper certificate validation allowed MitM attacks on SDK API endpoints
- Hardcoded API keys in older SDK versions enabled unauthorized push notification sending
Impact Assessment
Severity: High (CVSS 8.5)
The 30 million cryptocurrency wallet installs are of particular concern — attackers could send fraudulent push notifications impersonating legitimate wallet alerts to trick users into approving malicious transactions.
Recommended Mitigations
- Update all apps using EngageLab SDK to the latest patched version
- Revoke and regenerate all SDK API keys
- Audit push notification permissions in your apps
- Implement certificate pinning for SDK communications
Written by Tarang Parmar (CEH) — TheCyberSecurity.Network. Read time: 5 min.