Image credit: Sue Povey, Flickr

AppLovin Security Notice

by Adam Foroughi on Nov 21, 2013

Recently, several security blogs wrote about vulnerabilities in our Android SDK. As an ad network, we utilize this SDK to render ads in 3rd party applications on the Android platform. I’m writing this post to highlight the concerns raised in these articles and to detail the steps we have taken and are continuing to take to improve our product.

We first learned of the Android SDK security vulnerabilities when a firm notified us on July 24th.

Two key areas of vulnerability were highlighted:

  • A remote update feature. We added this feature in May 2012 when we first launched to push urgent server side fixes without forcing developers to update.
  • SDK calls which access user data. These calls were from our Alpha SDK which provided developer tools such as data management & crm.

Unfortunately, even though we have not used these features in many months, they were not removed from our SDK. Together, these vulnerabilities meant that a sophisticated attacker could use our SDK as a vector for malicious actions. Although we are unaware of reports of actual attacks, we deeply regret that a risk has been created by these vulnerabilities.

After we heard from the initial security firm, my team and I took immediate action, releasing a new SDK version (5.1) on 8/1/13 that fixed both of these issues. We then notified our developer base about a security concern on 08/04/13, requesting everyone to upgrade.

Since the release of the new SDK on 8/1/13 and our initial note to Android developers, we have taken the following steps:

  • Reached out to developers who still run older versions of the SDK and encouraged them to update due to the security issues. In order to completely remove the threat, all developers must update their applications to version 5.1 or later. The majority of developers have updated to a later SDK.
  • Separately, we are now actively notifying our developers who still have live apps on a vulnerable SDK that we will discontinue service if their SDKs have not been updated by the end of December.

We care deeply about the trust of users, customers and partners, and apologize for what has occurred. Please know that we will continue working hard to prevent this issue from impacting users.

If you have questions, or you are a developer partner who needs to update to the new SDK, please contact us at: [email protected]


Adam Foroughi, CEO AppLovin

Adam Foroughi is AppLovin’s CEO.