A survey revealed that smart TV apps had a large number of proxy SDKs embedded in them that allowed other people's communications to be routed through home networks.
Spur Intelligence Labs, a company that analyzes IP addresses, has reported that many smart TV apps incorporate 'residential proxy SDKs' that relay other people's communications using the user's home internet connection. Spur Intelligence Labs investigated 6,038 smart TV apps from LG and Samsung, and found proxy SDKs in 2,058 of them.
Nearly Half of LG Smart TV Apps Contain Residential Proxy SDKs
Smart TVs are a type of computer that connects to the internet, but unlike smartphones and PCs, there are no opportunities to check their settings or communication details in detail. They are used for many years as home appliances for watching videos, plugged in and used as such.
According to a report by Spur Intelligence Labs, seemingly simple apps such as clocks, tropical fish screensavers, solitaire, and puppy videos may be using home IP addresses as part of a proxy network. A proxy is a system that relays internet traffic, and residential proxies make it appear as if access is coming from a typical home internet connection, so they are used for website research and advertising verification.
For app developers, advertising is a source of revenue, but displaying a large number of ads in apps like clocks or screensavers can make them less user-friendly. By incorporating a proxy SDK, apps can remain quiet on the screen while still generating revenue through the smart TV's internet connection.
According to Spur Intelligence Labs, the apps under investigation included proxy SDKs from proxy network companies such as Bright Data, Massive, Honeygain, and Oxylabs. They found 367 apps published under a Bright Data-related name, and 16 apps published under the name of Honeygain UAB, a subsidiary of Oxylabs. Spur Intelligence Labs points out that some of these apps appear to have been created not so much as 'normal apps with a proxy SDK embedded,' but rather as 'apps created specifically as containers to run proxy SDKs.'
There are also issues regarding user consent. Spur Intelligence Labs reported that the consent screen they examined indicated that the proxy might continue to run even after the app was closed. Furthermore, it has been reported that some Samsung Tizen apps offered an ad-free experience if the user accepted the use of Bright Data, while refusing it resulted in an ad-supported experience. In other words, it was a monetization model where users had to choose between 'watching ads' or 'using their home network.'
When a home internet connection is used as a proxy, the problem isn't simply that 'someone is using my IP address.' Because smart TVs are connected to the same home network as routers, NAS devices, printers, security cameras, and development PCs, if the proxy SDK or the proxy provider's control is breached or insufficient, it could potentially provide a foothold for accessing home devices that are not normally accessible directly from the internet.
Spur Intelligence Labs explains that Bright Data's samples included blocklists to prevent access to local networks and private addresses. However, they did not find similar blocklists in some samples related to Massive, Honeygain, or Oxylabs. Spur Intelligence Labs points out that ultimate security depends not on the smart TV itself, but on the proxy provider's review, communication control, internal rules, and app store review.
There are differences in how operators of smart TV operating systems and app stores are handling this issue. Amazon explicitly prohibits apps that support third-party proxy services, and Roku also blocks similar SDKs. On the other hand, no similar explicit policies have been found for LG's webOS and Samsung's Tizen, and it seems that the same monetization model has been found on a large scale.
Spur Intelligence Labs shared its findings with Bright Data, Massive, and Oxylabs before publication, and received responses from each company. Bright Data explained that legitimate and illegitimate networks are distinguished through consent, review, and governance frameworks. Massive stated that it uses a minimal interface to reduce the burden on device owners and verifies customer and legitimate business purposes for users of its proxy network. Oxylabs explained that it restricts access to private networks in both its infrastructure and SDK and undergoes external penetration testing and audits.
Spur Intelligence Labs is not concerned with the existence of residential proxy networks themselves, but rather with the widespread integration of proxy SDKs into smart TVs, which many people don't even realize are computers. They argue that if apps are going to monetize home internet connections, they need to clearly show how the connection is being used, what risks are involved, and what users are agreeing to. Spur Intelligence Labs states that even if apps disappear, proxies won't, and that platforms should provide mechanisms to help users understand the difference.
Related Posts:
in Security, Posted by log1d_ts