This story was written by Keith Dawson for UBM DeusM’s community Web site Business Agility, sponsored by IBM. It is archived here for informational purposes only because the Business Agility site is no more. This material is Copyright 2012 by UBM DeusM.

Risks of Advertisements in Android Apps

Ad libraries pose privacy and security risks.

Many Android apps come with ads that can threaten network security and users' privacy. IT shops that allow users to bring their own devices may want to tighten perimeter defenses.

android-trojan

The economics of what was formerly known as the Android Marketplace, now Google Play, are quite different than those of Apple's app store. Folklore says that Android users don't pay for apps, whereas iOS users do. This is borne out by data indicating that free apps comprise 71 percent of the Android store, whereas less than 30 percent of iOS apps are free.

Therefore, far more developers of apps on the Android side rely on deals with advertisers to get paid for their work. The way this plays out in practice is that the developer builds the app with one or more advertising libraries bound in. These libraries can be more or less opaque to the developer, and completely so to the end user. The libraries are responsible for serving ads while the app is running.

North Carolina State University researchers delved into the prevalence and behavior of ad libraries in apps found on Google Play, according to ReadWriteWeb (here's the original research report). The researchers found ad libraries in more than half of the 100,000 apps they checked. (They did not look at iOS apps, but there are reasons to believe the same sorts of problems may exist there, just in fewer apps.)

Because the ad libraries are bound directly to the Android app, they run with the same privilege levels and partake of any permissions the app requests the user to grant when it is installed -- such as reading the phone's ready state, accessing system tools, or communicating via the network.

Privacy problems and worse
The privacy problems arise because the user almost certainly does not know that he or she is granting the same permissions to ad networks, and in some cases to the advertisers behind them. The ad libraries can gain root access, track users' locations through GPS, access contact lists and phone-call logs, and get a list of the apps stored on the device. In fact about half the ad libraries studied by the university researchers can track a user's location via GPS, and just over 1 in 24 apps use ad libraries that let advertisers themselves access a user's location via GPS.

There is worse. Of the 100,000 apps investigated, 297 of them (1 in 337) used ad libraries that "made use of an unsafe mechanism to fetch and run code from the Internet," according to the researchers. These libraries are enabled to grab code from remote servers that could give malware and hackers a way into the user's device. Such real-time downloading bypasses static checks for suspicious code. All in all, this behavior is indistinguishable from that of malware.

The upshot is, if you allow users to bring their own devices onto the corporate network, you might want to study the NCSU researchers' work and consider beefing up the firewall or ingress filter to block certain advertising networks. The real solution will come when Google, and Apple too, re-architect the way advertising is allowed to happen on mobile devices. Ad libraries need to run in an execution context isolated from applications.