We recently discovered and fixed a vulnerability in Twitter for Android related to an underlying Android OS security issue affecting OS versions 8 and 9. Our understanding is 96% of people using Twitter for Android already have an Android security patch installed that protects them from this vulnerability. For the other 4%, this vulnerability could allow an attacker, through a malicious app installed on your device, to access private Twitter data on your device (like Direct Messages) by working around Android system permissions that protect against this.
We don’t have evidence that this vulnerability was exploited by attackers. But, because we can’t be completely sure, here's what we’re doing to keep the small group of potentially vulnerable people safe:
- Updated Twitter for Android to make sure external apps can’t access Twitter in-app data by adding extra safety precautions beyond standard OS protections
- Requiring anyone that may be impacted to update Twitter for Android
- Sending in-app notices to everyone who could have been vulnerable to let them know if they need to do anything
- Identifying changes to our processes to better guard against issues like this
To keep your Twitter data safe, please update to the latest version of Twitter for Android on all Android devices that you use to access Twitter. This issue did not impact Twitter for iOS or Twitter.com.
Your privacy and trust is important to us and we will continue working to keep your data secure on Twitter. If you’d like additional information regarding your account security, you can reach out to our Office of Data Protection through this form.