Researchers from North Carolina State University have found that in-app advertisements pose privacy and security risks.
In a recent study of 100,000 apps in the Google Play market, researchers noticed that more than half contained so-called ad libraries. And 297 of the apps included aggressive ad libraries that were enabled to download and run code from remote servers, which the researchers said raise significant privacy and security concerns.
Dr. Xuxian Jiang, an assistant professor of computer science at NC State and co-author of a paper describing the work, said in a statement that running code downloaded from the Internet is problematic because the code could be anything. “For example, it could potentially launch a ‘root exploit’ attack to take control of your phone – as demonstrated in a recently discovered piece of Android malware called RootSmart,” he wrote.
As is usually the case in life, the research confirms that nothing is ever really free and that goes for mobile apps. To generate revenue, app developers incorporate “in-app ad libraries,” which are provided by Google, Apple or other third parties. The ad libraries retrieve advertisements from remote servers and run the ads on a user’s smartphone periodically. Every time an ad runs, the app developer receives a payment.
The North Carolina research claims this poses potential problems because the ad libraries receive the same permissions that the user granted to the app itself when it was installed, regardless of whether the user was aware they were granting permissions to the ad library.
Jiang’s team found that 48,139 of the 100,000 apps (1 in 2.1) had ad libraries that track a user’s location via GPS, presumably to allow an ad library to better target ads to the user. However, 4,190 apps (1 in 23.4) used ad libraries that also allowed advertisers themselves to access a user’s location via GPS. Other information accessed by some ad libraries included call logs, user phone numbers and lists of all the apps a user has stored on his or her phone.
These ad libraries pose security risks because they offer a way for third parties, or hackers, to bypass existing Android security efforts. Specifically, the app itself may be harmless, so it won’t trigger any security concerns. But the app’s ad library may download harmful or invasive code after installation.
“To limit exposure to these risks, we need to isolate ad libraries from apps and make sure they don’t have the same permissions,” Jiang said. “The current model of directly embedding ad libraries in mobile apps does make it convenient for app developers, but also fundamentally introduces privacy and security risks.”
Jiang contends that the best solution would be for Google, Apple and other mobile platform providers to take the lead in providing effective ad-isolation mechanisms.
The full report can be viewed here.