Appolicious powers Verizon Educational Tools

Researchers find security holes opened by Android app ads

by Phil Hornshaw

Security and privacy have become growing concerns as the mobile space gets bigger and more ubiquitous, with a few recent controversies throwing a big spotlight on the fact that even seemingly trustworthy apps may be grabbing more data from their users than they want to give up.

A new study has found that the ads in Android apps are a new thing to worry about when it comes to mobile security. App ads apparently can snag data and send it off to third parties without much trouble, and those very same ads might be opening cracks in Android users’ devices security.

Ars Technica has a story, citing a study from North Carolina State University. That study found that the trouble arises from in-app ads, because they store libraries of software on users’ devices in order to generate them. Generally, the software needs to grab information from the Internet in order to generate new, changing ads. Sometimes, those ads even pull down software code from the Internet, meaning your app could be running software it streams-in on the fly. It’s not hard to see how a malicious user on the Internet might trick an ad into streaming the wrong code, causing the app to do something the user might not even know about.

The ad libraries also increase security risks because they get user permissions to do the things that they do. When apps are downloaded, the user signs-off on which areas in that device the app can access. If an ad library is then streamed malicious code, the user has basically opened the door for that malware to do whatever its creator wants. That code can be hidden in the ads streamed from the Internet, or in other code downloaded after the app received its permissions.

The team conducting the NC State study was led by computer science assistant professor Dr. Xuxian Jiang, and tested about 100,000 apps found in the Google Play Store, the newly renamed Android Market. In addition to apps sending out to the Internet to stream in important things for their ads, the team also discovered that many apps make use of GPS data in generating their ads, and about one in 23 sends that data back to advertisers.

Some apps were even able to access users’ call logs and phone number, as well as the list of other apps on their phones.

After the debacle earlier this year that resulted from the discovery by many users that social networking apps were using and storing devices’ address book information as part of their functions, more users have been wary about apps that violate their security and privacy. But studies such as this one continue to suggest that there’s good reason to worry. While smartphones are powerful and convenient, they’re still evolving as devices, and storing sensitive information (or using them to perform sensitive tasks, like banking) can be risky.