On November 13th, 2019, Google alerted Photofy that it had violated Google’s terms of service by having a third party application that could access data on its platform. We investigated and found the app in question was OneAudience, an audience intelligence service. OneAudience has an SDK (software development kit) weakness that could potentially be exploited to get user information such as email, user name etc. The service was installed to our app in mid-2017, and only on the Android version. OneAudience put out a statement and has since shut down its SDK. No data was breached from Photofy and Photofy does not share data with any third party.
OneAudience was immediately removed from our Android app by our development team (Nov 13, 2019 3:25 AM) after we were notified by Google that it was a bad acting SDK. We have received no evidence, nor do we suspect that accounts were accessed through the Photofy application via this SDK. Additionally, no user data was ever accessed from Photofy at any time.
Twitter posted a public statement about the incident here: https://help.twitter.com/en/sdk-issue. Twitter has never been an option for app sign in for Photofy.
Facebook also removed Photofy access with no description of the problem at hand and no way to remediate the issue. We have sent Facebook several requests for information, none of which have been answered to date. We will be conducting a full review of all third party SDKs used in the Photofy application to further protect users data.
We connect to social media outlets solely for the purpose of sharing user created content. On certain outlets we may connect to allow users to select content they have stored there. Our goal is to always operate the app with the minimal amount of data possible and to never use data other than to provide services to our users. We have no advertising, geo-tracking, etc., used to drive revenue and do not share or sell any user data.
We will be removing Facebook as a sign up and login option and only use the Apple or Google platforms as alternatives to direct login. Moving forward, we will no longer make use of social sign ins other than those operated by the app store creators.
If you have any questions or concerns about this incident please contact us at firstname.lastname@example.org. We will also provide a complete report of the user data we have for your Photofy account by email request. We value our user’s privacy and strive to protect it in every way possible.
Our goal is simple, to be the easiest way to create and share content, period.