INCLUDING ADS IN MOBILE APPS poses serious privacy and security risks, computer scientists warned today.
In a recent study of 100,000 apps in the Google Play market, researchers from North Carolina State University (NCSU) found that more than half contained so-called ad libraries. And 297 of the apps included "aggressive" ad libraries that were enabled to download and run code from remote servers, which the boffins warn raises "significant privacy and security concerns".
"Running code downloaded from the internet is problematic because the code could be anything," warned Dr Xuxian Jiang, an assistant professor of computer science at NCSU and co-author of a paper describing the work.
"For example, it could potentially launch a root exploit attack to take control of your phone - as demonstrated in a recently discovered piece of Android malware called RootSmart."
He explained that the in-app ad libraries, which are provided by Google, Apple or other third-parties, retrieve advertisements from remote servers and run the ads on a user's smartphone periodically. Every time an ad runs, the app developer receives a payment. However, the research team warns that the practice opens up potentially serious security holes because the ad libraries receive the same permissions that the user granted to the app itself when it was installed. This occurs regardless of whether the users were aware that they were granting permissions to the ad library.
Jiang's team looked at a sample of 100,000 apps available on Google Play between March and May 2011 and examined the 100 representative ad libraries used by those apps. One significant find was that one out of every 337 apps used ad libraries "that made use of an unsafe mechanism to fetch and run code from the internet - a behaviour that is not necessary for their mission, yet has troubling privacy and security implications," Jiang said. But that is only the most extreme example.
The NCSU boffins found that 48,139 of the apps - one in 2.1 - had ad libraries that tracked a user's location via GPS, presumably to allow an ad library to better target ads to the user. However, 4,190 apps - one in 23.4 - used ad libraries that also allowed advertisers themselves to access a user's location via GPS. Other information accessed by some ad libraries included call logs, user phone numbers and lists of all the apps a user has stored on his or her phone.
The paper warned, "These ad libraries pose security risks because they offer a way for third parties - including hackers - to bypass existing Android security efforts. Specifically, the app itself may be harmless, so it won't trigger any security concerns. But the app's ad library may download harmful or invasive code after installation."
To limit exposure to these risks, users need to isolate ad libraries from apps and make sure they do not have the same permissions, the paper advised.
"The current model of directly embedding ad libraries in mobile apps does make it convenient for app developers, but also fundamentally introduces privacy and security risks. The best solution would be for Google, Apple and other mobile platform providers to take the lead in providing effective ad-isolation mechanisms," according to Jiang. µ