Intelligent Machines

Android Ads Could Attack, Study Warns

Ad libraries, bundled with free apps, could sniff data and even install malicious software.

To guard against malicious behavior, apps that run on Android smart phones must ask politely for permission to do things like access your personal information, track your location, or transmit data via the Internet. But once they have approval, these apps can share the permissions with the advertising libraries they use to serve up ads, creating serious potential privacy and security vulnerabilities, researchers have found.

Trap Door: This permission screen—typical for a free Android app—also grants the same permissions to the app’s ad libraries.

Combing through 100,000 apps selected randomly from Google Play (the erstwhile Android Market), a team of researchers at North Carolina State University found that 48,139 of the ad libraries used by these apps tracked the user’s GPS location; 18,575 tracked the identity of the phone (its IMEI number); 4,190 let advertisers track the user via GPS; and 4,047 accessed the device’s phone number.

Dozens of such “ad libraries” exist, generating onscreen ads with the associated apps. When you click on an ad, the app maker gets a fee. One of these libraries, called energysource, uses an insecure method of loading code from the Internet, says Xuxian Jiang, the North Carolina professor who led the study, released as a paper to be presented at a conference in Tucson next month. Though the researchers did not detect malicious behavior from the app, they did say it poses a security threat simply by allowing code to be downloaded and run.

Of the 100,000 apps, 297 contained ad code that allowed the phone to run code downloaded from the Internet, providing a potential path for malicious software to get inside the device. “If your app has permission to access personal information, the ad library also has permission to access your information,” Jiang says.

The North Carolina research is only the latest evidence of gaping security and privacy holes in smart phones. In April of last year, iPhones and Android devices were found to track users’ locations automatically. Then, in December, these and other smart-phone devices were found to carry diagnostic software that also tracks a wide range of user information. More recently, it was discovered that both iPhones and Android devices share users’ address books and other information with apps. And instances of mobile malware have been rising.

The new findings point to a flaw in the business model behind apps, Jiang says. Developers rely on revenue from ad libraries to support free apps, but they have no control over what those libraries do. “The current model of embedding ad libraries in mobile apps for monetization purposes poses security and privacy risks. These ad libraries will essentially have the same set of permissions granted to the apps that enclose them. And certain ad libraries may abuse them for other unwanted purposes.”

Mobile device makers should provide ways to isolate the two, Jiang says, so that the ads run separately from the host apps—and require separate explicit permissions. “There are fundamental concerns in the way mobile apps are being monetized,” he adds.

Adding insult to injury, other research has recently found that ads associated with free Android apps are also battery-drainers. Abhinav Pathak, a computer scientist at Purdue University, and colleagues at Microsoft Research found that as much as three-quarters of the juice used by such apps is spent to serve ads and transmit user data back to advertisers.

The latest Insider Conversation is live! Listen to the story behind the story.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Premium.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look: exclusive early access to important stories, before they’re available to anyone else

    Insider Conversations: listen in on in-depth calls between our editors and today’s thought leaders

You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.