Security

Android apps and advertising: A bit too cozy

Did you know marketing companies supplying ads to Android apps are privy to the same user information supplied to the app developer?

Adrienne Porter Felt and a research team from University of California, Berkeley asked people to participate in an informal survey about Android applications and advertising. To begin, the researchers made sure participants understood what app advertising looked like -- for example:

Or:

Next, the team explained how to view an application's list of permissions (Settings/Applications/Manage applications/Selected app/ Scroll down to permissions):

Finally, the researchers asked the participants, "Can the advertisers use these permissions? For example, could they get access to the information that these permissions give the application?"

Here are the results:

  • 42 percent said yes.
  • 16 percent said no.
  • 42 percent did not know.

I'm embarrassed to say, I didn't know. Adrienne's blog provides the answer:

"If you see an ad while playing a game, you should know that the invisible ad library gets all of the game's permissions, and it might share information like your location with the advertiser."

I wasn't exactly sure what an advertising library was. So I asked Adrienne:

"The advertising library is responsible for fetching the ads and inserting them into the application's user interface. It's the code, the advertising network gives to the application developer. Who then sticks the advertising library into the application."

Comfort level

Look at the list of permissions above. Do you feel comfortable turning that information over to an advertiser? Here's something else. We supposedly agree to some kind of EULA when we acknowledge the permissions asked for by the app's developer. Does that contract include the advertiser? If not, what is the agreement between us and the advertiser regarding permissions?

It seems I'm asking the right questions. This article in the Wall Street Journal describes the circumstances surrounding a criminal investigation into whether smart phone applications transmit information about their users without proper disclosure. Hmmm.

Need answers

Hmmm is right. It's time to call in the experts. I contacted both Adrienne and William Francis -- Android app developer and fellow TechRepublic writer -- asking them the following questions:

Kassner: I had no idea that giving an app certain permissions passes those permissions to the advertiser. Is that spelled out somewhere? Porter Felt: Applications that provide privacy policies should disclose that they are giving information to advertisers. Unfortunately, not all applications offer privacy policies - and even when they do they are often hard to read. Francis: As an Android developer, it never occurred to me, that users didn't understand that the app's permissions and the ad's permissions (or rather the library that displays the ads) were shared. I guess it shows the disconnect that exists between app developers and app consumers. Kassner: MobFox and AdMob, two of the biggest ad networks, require the following permissions:
  • uses-permission android:name=android.permission.INTERNET
  • uses-permission android:name=android.permission.ACCESS_NETWORK_STATE
  • uses-permission android:name=android.permission.ACCESS_COARSE_LOCATION
  • uses-permission android:name=android.permission.READ_PHONE_STATE

Should we be concerned about giving these permissions to advertising networks?

Porter Felt: Some people are uncomfortable sharing their information with advertising companies. Those people might want to avoid using applications with advertisements.

We looked at a large number of applications with advertisements and ACCESS_COARSE_LOCATION. We've found that about half only use the location permission for the advertisement. (In other words, the application itself doesn't offer any location-related functionality.)

The READ_PHONE_STATE permission lets an advertising library find out what the unique ID of your phone is. That way the advertising library can track you across applications. It's similar to cookie-based tracking in the browser, which some people dislike.

You also don't need to be worried about the ACCESS_NETWORK_STATE permission - that just lets the advertising library know whether you're connected to the Internet or not.

Francis: I'd like to take this one step further and point out that the ad libraries tend to behave responsibly when using phone resources. Meaning the code libraries I've seen for generating ads try to keep CPU, bandwidth, and battery life in mind.

For example, notice that it's coarse and not fine location that is being used. This isn't because the ad library couldn't get your exact location, or because the advertisers wouldn't be able to target better ads with it, but because retrieving coarse location is a less expensive operation in terms of resource utilization.

I'm not defending the ads, only pointing out that in my experience the companies developing the ad libraries are at least cognizant of the fact that if they become too intrusive, users simply will uninstall the app.

Kassner: If the app has advertising, do we need to be concerned about how the advertiser protects our personal information? Porter Felt:  I honestly don't know exactly how advertisers protect the information that they collect about users. Francis: As a user, you don't necessarily know which ad library an app is using. You can look at the websites of the major players, but the responses tend to be vague. For example, this excerpt from AdMob's privacy statement:

"How Secure Is the Personal Information That You Provide to AdMob?

AdMob takes reasonable measures to protect your personal information in an effort to prevent loss, misuse and unauthorized access, disclosure, alteration and destruction. AdMob cannot, however, ensure or warrant the security of any information that AdMob receives."

I doubt that AdMob analytic databases are a hot target for hackers. Still, there is nothing in the statement that gives me a warm fuzzy about security measures or anything that would suggest AdMob (a.k.a Google) would in any way be held liable if there was a breach of the backend databases.

Kassner: Advertising uses bandwidth to send ads to the phone. So, am I right in assuming buying an app makes more sense? That's a single payment and not a monthly hit to my data plan. Porter Felt:  It depends on how your data plan is set up. If you have an unlimited data plan or a data plan with a very large allowance of data, then advertisements won't be a problem.

On the other hand, if you worry about the cost of data, you might want to avoid applications that bombard you with ads. Usually, the cost of data is low enough that an application with one or two ads won't be expensive. However, an application that uses multiple ad networks to generate revenue might turn out to be expensive.

Francis: Again, I'd like to throw in an opinion from someone who makes a substantial portion of his livelihood developing apps. If you aren't a fan of ads, if you have concerns about the shared permissions between an app and the ads, then buy the app.

Developers aren't any wilder about third-party advertising than users. One reason ads have become prolific is because developers are having a hard time getting reimbursed for their efforts -- writing and releasing an app.

Android users are 50% less likely to purchase an app than their iPhone counterparts. And, unless an app is getting millions of downloads and constantly changing content to keep users interested, app developers make significantly less money via ads than an outright purchase.

I'm not suggesting you should buy every app. But try an app and if you like it and use it then consider buying the ad-free version. It will make the developer happier, your experience better, and your phone less vulnerable to privacy concerns.

Final thoughts

One thing I forgot to mention -- the survey participants were divided, as to whether advertisers should get the same permissions and information as the app developer. I'd be interested in learning what you think.

You may remember Adrienne and William. They both helped on many of my Android articles. Once again, I'm indebted to them for their assistance.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

23 comments
Jordon
Jordon

"Francis: As an Android developer, it never occurred to me, that users didn???t understand that the app???s permissions and the ad???s permissions (or rather the library that displays the ads) were shared." He develops apps for Android and it never occurred to him? I wish I knew which apps he's developed. If I had any, they'd be gone.

seanferd
seanferd

Forum software, get real.

flood_specialist
flood_specialist

Why are we worrying about company this and company that. The problem is with the developer community and what we have become. Hey, I can code this, what do you think this company or that company will pay me for it? Those app developers and designers are the ones with the problem as far as I'm concerned. You know exactly what the code does and don't do. You have the responsibility and duty to inform hey this app will track you or whatever and this how you disable it. After all you are the end user. Instead, I need to make a living whether I like it or not. Pass the buck. Why worry about someone spying if you???re not guilty. The very people creating the software think they are cool for being able to implement it unknowingly. Although I work in the industry, I still have the morale fortitude to say no. Everybody else in this industry needs to do the same. People want a lot of things and there are ways to give it to them without deception. I have noticed though, there is a lack of news that if or no one is running back to the stores demanding refunds or canceling their services because of. I do not own a smart phone, refuse to use one. Should it become a point of force, I was looking for a job when I found this one. Michael, thanks for trying.

Michael Kassner
Michael Kassner

If you look at the WSJ article, Apple is also implicated and others may come. This particular investigation deals with Pandora. Is that on your phone?

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I honestly didn't ever think about ad's and permissions. It makes sense that they have the same permissions since they are essentially the same application. I am not real comfortable with that, but at the same time I really am not a big fan of ad's in general. I usually prefer to either purchase an application or do without. Bill

Justin James
Justin James

I had always assumed that the ad libraries, at least the ones that come with Android itself, would be firewalled off from the rest of the application and only get the information that they need to do their job. I never would have made the connection in a million years that since the library is running within the app, that Android would just let it have whatever access that the app had. Sounds to me like a GREAT way to slip a virus into Android would be to start a bogus ad network, promising massive payouts, and putting the virus in the ad library. Or simply imitating the site for an existing ad system, try to leap frog it in search engine results, and use it to distribute the bogus ad library. Once again, I am grateful that I am not an Android user. J.Ja

glw2
glw2

For multiple reason I like downloading and testing apps before buying them. As an Android user I am in a unique position that I can not charge my apps to the monthly bill, it is a corporate phone and they do not allow that. Therefore I have to paypal or credit card to pay. It is worth it to limit the ads. I also do not think that the Android API should neither allow nor require the ad have the same permissions! I do have a question about the apps library. Once I have downloaded the app to test, the ad librarys are there. How do I know that they are not still sending data after I upgrade to the paid apps. Just because the ads are not popping up does not necessarly the data not transmitted.

seanferd
seanferd

the Android API should neither allow nor require the ad have the same permissions as the app. I'm just glad that I still have no use for such technology.

bboyd
bboyd

They have been a vector before. Sure they will again so the less i can give them for permissions the better. One thing that bothers me is verification. I have very little in the way of controlling the data they generate or way to even know what or when they gather.

Michael Kassner
Michael Kassner

New post Did you know that? How do you feel about it?

vegesm
vegesm

I'm not a developer but never thought that the app and ad library has a different set of permissions. I always thought about it as one single app (as it is).

seanferd
seanferd

How does it work?! You mean I was supposed to understand the entire EULA, which may or may not have been presented to me?

Justin James
Justin James

Any DLL you put into your project could do this, really... I don't use stuff like Pandora, and I only have one item with ads in it at all, the Soduku game that Microsoft makes for WP7 (I have a WP7 phone, so I'm also Carrier IQ-free :) ). J.Ja

authorwjf
authorwjf

any app with the Internet permission could be transmitting data with or without ads or the associated ad libraries. Generally speaking though my experience has been that as long as you are purchasing legitimate apps from a legitimate market you will get what you pay for. Keep in mind too that if you uninstall the free version of the app and then install the paid one you get to review the permissions being asked for again. For instance most ad libraries require "coarse location" permission. But if the app is say a game once you purchase the paid version this permission should no longer be needed. The same is probably true of phone state. So while it's not a full-proof method comparing permissions before and after the purchase is at least one indicator that could be used if you suspect something is amiss.

Michael Kassner
Michael Kassner

I view it as the forerunner of behavioral advertising. In a sense it is more, with the addition of geo-location.

Michael Kassner
Michael Kassner

I was curious as to what you meant by that. Also, I somewhat agree with you about the data comment, except at least Android attempts to make it transparent with the addition of permissions. The criminal case involves other types of phone operating software and from what I see, users have no insight as to what is being cultivated.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

All the apps that I have purchased that have a free trial all you do is download the license key. No actual changes are made to the application it's self. To be fair, if an application developed for a PC or Mac could do many malicious activities if the developers wanted it to (it does not take special permissions to launch a second process that connects back to a C&C server and downloads additional code and a lot of newer games do this for legitimate reasons). In this respect an app developed for a phone could do a lot with just a few simple permissions if that was what the developers wanted it to. There is a lot of trust involved with downloading and installing an app on any device even if people don't think about it that way. Bill

authorwjf
authorwjf

"the Android API should neither allow nor require the ad have the same permissions" I guess the thing not clear to the average user is that the ad and the app are one. Meaning as an Android developer if I choose to implement one of the ad-based revenue models to try and get reimbursed for an app that users are downloading but not buying, I literally download a JAR file that I must compile into my application. The JAR file comes with a document which states all the permissions I must add to my app to make it work. And if I don't add those permissions the advertisements won't play and I will continue not to get paid anything for my efforts. I guess my point is just that it's really not so much a function of the API because when it's all said and done the developer has really created in effect a monolithic app that includes both the original functionality plus an app that plays ads and collects user metrics for the advertisers. As a developer not only do I not like messing with the ad libraries but I must redesign my application screens to make room for the ads to play. I think the ads "crowd" my apps. And the companies that act as the middle man for the advertisements are generally slow to pay out so it takes a lot longer to get reimbursed and as mentioned in the article reimbursement is at a much lower rate than the 70% I get automatically when someone purchases one of my apps. I like hearing readers say that buying the app is a reasonable suggestion. I think if more users felt that way there would be no need to worry about ads as another vector on Android. Apps for phones are priced at a very low-price point, often under $2. And usually it's possible just to have that purchase price added to the following month's phone bill so there is little to no hassle. It's difficult for me to feel overly sympathetic for a user who continues to use a trial version of my software yet won't part with 99 cents or $1.99 or whatever I think is a reasonable amount for something I put my time and effort into creating and releasing. Sorry to get on my soap box. I just believe as many issues as exist with privacy that users don't have control over in the smart phone revolution this is one area where users can and should step up. Hopefully well researched articles like this will help to raise awareness. Kudos to the author!

seanferd
seanferd

"I guess the thing not clear to the average user is that the ad and the app are one." I just don't happen to agree with the entire model. YMMV. "As a developer not only do I not like messing with the ad libraries but I must redesign my application screens to make room for the ads to play. I think the ads "crowd" my apps. And the companies that act as the middle man for the advertisements are generally slow to pay out so it takes a lot longer to get reimbursed and as mentioned in the article reimbursement is at a much lower rate than the 70% I get automatically when someone purchases one of my apps." Or maybe your mileage doesn't vary much at all. "It's difficult for me to feel overly sympathetic for a user who continues to use a trial version of my software yet won't part with 99 cents or $1.99 or whatever I think is a reasonable amount for something I put my time and effort into creating and releasing." I'm not terribly sympathetic on that point, either, although I find it to be a separate issue from bad and invasive advertising models. Whatever, this behavior is ingrained. People are used to living with ads in a lot of software. People are also used to getting functional, good-quality, ad-free software for nothing. Roaming device application consumption has about twenty years of desktop-style of application consumption inertia to overcome. Give it a bit. "Sorry to get on my soap box." Sorry, I hadn't noticed that you were pontificating. ;)

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I agree with your comments. People expect a lot for free and I think that is much of the problem with smart phones. There has to be a way for people to support them selves so if no one is willing to fork over a little money to buy and app then what is the developer supposed to do? I personally usually try an app for free to get a feel for it, but then I normally will purchase it. I find it interesting that some apps do not have the option to purchase a copy. I am guessing that they either are popular enough that add revenue is worth more than the purchase price or the developer made it for them selves and decided to share. Bill