Texture Canada Android & iOS Applications - Unencrypted Third Party 
Analytics (CVE-2019-8632)
--
https://www.info-sec.ca/advisories/Texture.html

Overview

"Texture: Unlimited access to over 100 of the world's best magazines on 
your computer, smartphone or tablet."

(https://play.google.com/store/apps/details?id=com.nim.rogers)
(https://itunes.apple.com/ca/app/texture-canada/id649174756)

Issue

The Texture Canada Android & iOS applications (Android version 4.21.0.1, 
iOS version 5.11.6 and below) sends potentially sensitive information 
such as number of app launches, device model, Android or iOS version and 
screen resolution, unencrypted to a third party site (ScorecardResearch).

Impact

An attacker who can monitor network traffic could capture potentially 
sensitive information about the user's device without their knowledge.

Timeline

July 10, 2018 - Attempted to notify Texture of the issue via 
security@texture.ca
July 10, 2018 - Attempted to notify Texture of the issue via 
support@texture.ca
July 12, 2018 - Provided the details of the issue to Apple via 
product-security@apple.com
May 9, 2019 - Published an advisory to document the issue

Solution

Upgrade to Android version 4.22.0.4 or iOS version 5.11.10 (U.S. 
versions are also affected but have not been tested)

https://support.apple.com/en-us/HT210110
https://support.apple.com/en-us/HT210111
https://support.apple.com/en-us/HT201222

CVE-ID:

CVE-2019-8632