Security

Android apps and advertising: A bit too cozy

Did you know marketing companies supplying ads to Android apps are privy to the same user information supplied to the app developer?

Adrienne Porter Felt and a research team from University of California, Berkeley asked people to participate in an informal survey about Android applications and advertising. To begin, the researchers made sure participants understood what app advertising looked like — for example:

Or:

Next, the team explained how to view an application's list of permissions (Settings/Applications/Manage applications/Selected app/ Scroll down to permissions):

Finally, the researchers asked the participants, "Can the advertisers use these permissions? For example, could they get access to the information that these permissions give the application?"

Here are the results:

  • 42 percent said yes.
  • 16 percent said no.
  • 42 percent did not know.

I'm embarrassed to say, I didn't know. Adrienne's blog provides the answer:

"If you see an ad while playing a game, you should know that the invisible ad library gets all of the game's permissions, and it might share information like your location with the advertiser."

I wasn't exactly sure what an advertising library was. So I asked Adrienne:

"The advertising library is responsible for fetching the ads and inserting them into the application's user interface. It's the code, the advertising network gives to the application developer. Who then sticks the advertising library into the application."

Comfort level

Look at the list of permissions above. Do you feel comfortable turning that information over to an advertiser? Here's something else. We supposedly agree to some kind of EULA when we acknowledge the permissions asked for by the app's developer. Does that contract include the advertiser? If not, what is the agreement between us and the advertiser regarding permissions?

It seems I'm asking the right questions. This article in the Wall Street Journal describes the circumstances surrounding a criminal investigation into whether smart phone applications transmit information about their users without proper disclosure. Hmmm.

Need answers

Hmmm is right. It's time to call in the experts. I contacted both Adrienne and William Francis — Android app developer and fellow TechRepublic writer — asking them the following questions:

Kassner: I had no idea that giving an app certain permissions passes those permissions to the advertiser. Is that spelled out somewhere? Porter Felt: Applications that provide privacy policies should disclose that they are giving information to advertisers. Unfortunately, not all applications offer privacy policies - and even when they do they are often hard to read. Francis: As an Android developer, it never occurred to me, that users didn't understand that the app's permissions and the ad's permissions (or rather the library that displays the ads) were shared. I guess it shows the disconnect that exists between app developers and app consumers. Kassner: MobFox and AdMob, two of the biggest ad networks, require the following permissions:
  • uses-permission android:name=android.permission.INTERNET
  • uses-permission android:name=android.permission.ACCESS_NETWORK_STATE
  • uses-permission android:name=android.permission.ACCESS_COARSE_LOCATION
  • uses-permission android:name=android.permission.READ_PHONE_STATE

Should we be concerned about giving these permissions to advertising networks?

Porter Felt: Some people are uncomfortable sharing their information with advertising companies. Those people might want to avoid using applications with advertisements.

We looked at a large number of applications with advertisements and ACCESS_COARSE_LOCATION. We've found that about half only use the location permission for the advertisement. (In other words, the application itself doesn't offer any location-related functionality.)

The READ_PHONE_STATE permission lets an advertising library find out what the unique ID of your phone is. That way the advertising library can track you across applications. It's similar to cookie-based tracking in the browser, which some people dislike.

You also don't need to be worried about the ACCESS_NETWORK_STATE permission - that just lets the advertising library know whether you're connected to the Internet or not.

Francis: I'd like to take this one step further and point out that the ad libraries tend to behave responsibly when using phone resources. Meaning the code libraries I've seen for generating ads try to keep CPU, bandwidth, and battery life in mind.

For example, notice that it's coarse and not fine location that is being used. This isn't because the ad library couldn't get your exact location, or because the advertisers wouldn't be able to target better ads with it, but because retrieving coarse location is a less expensive operation in terms of resource utilization.

I'm not defending the ads, only pointing out that in my experience the companies developing the ad libraries are at least cognizant of the fact that if they become too intrusive, users simply will uninstall the app.

Kassner: If the app has advertising, do we need to be concerned about how the advertiser protects our personal information? Porter Felt:  I honestly don't know exactly how advertisers protect the information that they collect about users. Francis: As a user, you don't necessarily know which ad library an app is using. You can look at the websites of the major players, but the responses tend to be vague. For example, this excerpt from AdMob's privacy statement:

"How Secure Is the Personal Information That You Provide to AdMob?

AdMob takes reasonable measures to protect your personal information in an effort to prevent loss, misuse and unauthorized access, disclosure, alteration and destruction. AdMob cannot, however, ensure or warrant the security of any information that AdMob receives."

I doubt that AdMob analytic databases are a hot target for hackers. Still, there is nothing in the statement that gives me a warm fuzzy about security measures or anything that would suggest AdMob (a.k.a Google) would in any way be held liable if there was a breach of the backend databases.

Kassner: Advertising uses bandwidth to send ads to the phone. So, am I right in assuming buying an app makes more sense? That's a single payment and not a monthly hit to my data plan. Porter Felt:  It depends on how your data plan is set up. If you have an unlimited data plan or a data plan with a very large allowance of data, then advertisements won't be a problem.

On the other hand, if you worry about the cost of data, you might want to avoid applications that bombard you with ads. Usually, the cost of data is low enough that an application with one or two ads won't be expensive. However, an application that uses multiple ad networks to generate revenue might turn out to be expensive.

Francis: Again, I'd like to throw in an opinion from someone who makes a substantial portion of his livelihood developing apps. If you aren't a fan of ads, if you have concerns about the shared permissions between an app and the ads, then buy the app.

Developers aren't any wilder about third-party advertising than users. One reason ads have become prolific is because developers are having a hard time getting reimbursed for their efforts — writing and releasing an app.

Android users are 50% less likely to purchase an app than their iPhone counterparts. And, unless an app is getting millions of downloads and constantly changing content to keep users interested, app developers make significantly less money via ads than an outright purchase.

I'm not suggesting you should buy every app. But try an app and if you like it and use it then consider buying the ad-free version. It will make the developer happier, your experience better, and your phone less vulnerable to privacy concerns.

Final thoughts

One thing I forgot to mention — the survey participants were divided, as to whether advertisers should get the same permissions and information as the app developer. I'd be interested in learning what you think.

You may remember Adrienne and William. They both helped on many of my Android articles. Once again, I'm indebted to them for their assistance.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks