Mobile privacy and SDK risk

A software development kit is a bundle of prewritten code that app makers drop into an app the way a builder drops in a prefab staircase instead of cutting every step by hand. Microsoft said one outdated Android software development kit called EngageSDK let one app on a phone reach into another app’s private space, breaking Android’s usual app-to-app walls. (microsoft.com) Android’s main safety rule is the sandbox, which is the phone’s version of separate apartments with locked doors for each app. Microsoft said the EngageSDK flaw created an opening through Android “intents,” which are message handoffs between apps, so a malicious app could trigger actions inside a vulnerable app. (microsoft.com) The bug sat in a feature many users never see: push notifications and in-app messages handled by a third-party toolkit. Microsoft said version 5.2.1 of EngageSDK fixed the issue on November 3, 2025, after Microsoft disclosed it to EngageLab and Google’s Android Security Team. (microsoft.com) The scale came from reuse. Microsoft said crypto wallet apps alone accounted for more than 30 million installs, and broader reporting on the same disclosure put total affected Android users above 50 million because the same kit had been embedded across many unrelated apps. (microsoft.com) (techrepublic.com) The data at risk was not just names and email addresses. Microsoft said personally identifiable information, user credentials, and financial data could have been exposed if a bad app landed on the same device as a vulnerable wallet or finance app. (microsoft.com) Microsoft also said it had not seen evidence of the flaw being exploited in the wild when it published the research on April 9, 2026. Google removed detected apps using vulnerable versions from Google Play and added extra automatic protections for users who had already installed them. (microsoft.com) That is the supply-chain problem in mobile form: your bank app or wallet app can look careful on the surface and still inherit risk from code written by someone else years earlier. Microsoft’s write-up says apps increasingly depend on outside libraries, which means one bad component can spread the same weakness across millions of phones at once. (microsoft.com) At the same time, Google is paying to end a different Android fight that also turned on background behavior users could not really see. A class action settlement announced in April 2026 says Google agreed to pay about $134 million, often rounded to $135 million, over claims that Android phones used customers’ paid cellular data to send information to Google when users did not expect it. (wpxi.com) (classaction.org) That case was not about a hacker breaking in. It was about whether Google Play Services and other Android functions transferred data in the background over cellular connections, including when phones were idle, and whether that consumed users’ metered data without proper consent. (classaction.org) (openclassactions.com) Court records show a related Google privacy case, Rodriguez v. Google LLC, ran from July 14, 2020, until termination on March 9, 2026, which gives a sense of how long Android data disputes can stay alive after the underlying product decisions were made. The mobile lesson in both stories is simple: invisible code and invisible data transfers can become visible years later in the form of emergency patches, app removals, and nine-figure legal bills. (courtlistener.com) (wpxi.com)