"Android ad networks found accessing users’ private data"

Ad-supported apps aren't going away any time soon and there's
nothing actually wrong with the concept 

Researchers at the University of North Carolina have discovered that Android apps that run ads could be invading users’ privacy without their, or the app developers’, knowledge. The ad networks that many developers rely on to earn money exploit permissions granted to the app, often gathering information that users would not reasonably expect advertisers to have access to.

Xuxian Jiang, assistant professor in the Department of Computer Science, and his team found “threats to security and privacy” with many of the ad libraries used in popular Android apps. In an analysis of 100,000 apps downloaded between March and May 2011, the researchers found 100 ad libraries, some of which were gathering data such as the user’s

location via GPS, the phone’s identifying IMEI number, the user’s phone number, lists of other apps on the phone and even the recent calls list.

The Android Market, now called Google Play, tells users very clearly what permissions they are granting each app before they download it. But those same permissions can be used by the ad networks in ways that are not obvious to the user. Whether they know it or not, users that grant permissions to ad-supported apps are giving the same access to advertisers.

Ad-supported apps aren't going away any time soon and there's nothing actually wrong with the concept. Reuters

Says the study:

 “Due to the fact that ad libraries are incorporated into the host apps that use them, they in essence form an symbiotic relationship. Based on such relationship, an ad library can effectively leverage it and naturally inherit all permissions a user may grant to the host app, thus undermining the app-based privacy and security safeguards.”

ReadWriteWeb identified “three categories of creepy”:

1. Invasively collecting personal information. Ad network Sosceo, for example, was found to be collecting data on recent phone calls.
2. Permissively disclosing data to running ads. One of the more popular ad libraries, Mobclix, “has a variety of ways to attain personal information in running ads”, such as being able to access users calendar and camera, read phone information and use the vibrate function.
3. Unsafely fetching and loading dynamic code. The ability to load dynamic code means that any security analysis would fail to find malicious code because that code could be added later.

The third category of creepy is particularly worrying. The ability to send new code to a device without the user explicitly upgrading the app or granting permission for the new code is a serious security hole. Although the ad networks use that capability for benign purposes as far as we know, it could easily be used to download malicious code.

The freedom that ad networks have to access user data and insert code should worry not just anyone who owns an Android device, but anyone who develops apps for them too. As Technology Review reports:

The new findings point to a flaw in the business model behind apps, Jiang says. Developers rely on revenue from ad libraries to support free apps, but they have no control over what those libraries do. “The current model of embedding ad libraries in mobile apps for monetization purposes poses security and privacy risks. These ad libraries will essentially have the same set of permissions granted to the apps that enclose them. And certain ad libraries may abuse them for other unwanted purposes.”

Mobile device makers should provide ways to isolate the two, Jiang says, so that the ads run separately from the host apps—and require separate explicit permissions. “There are fundamental concerns in the way mobile apps are being monetized,” he adds. 

Ad-supported apps aren’t going away any time soon and there’s nothing actually wrong with the concept. What is problematic is the way that ad networks have access to far more data than they need or should have. Advertisers are well known for wanting as much personal data as they can lay their hands on because it helps them to target ads more effectively and increase their income. They won’t willingly give up using these tactics.

But these privacy incursions are too commonplace to let pass. With 48 percent of studied apps gathering GPS location 18.5 percent tracking the phone’s IMEI number, and 4 percent accessing phone numbers, the evidence shows there is a significant problem. Google needs to make sure that ads are easy to target and deliver, but are also secure. And app developers need to make sure that they pick ad networks responsibly, taking care to choose networks which do not abuse their users’ data.