Security optimize

The price for free Android apps may be your privacy

In-app advertising receives the same permission set as the host app. Michael Kassner reviews what that controversial decision means to the user.

Free phone apps come with baggage. The baggage I'm referring to is the advertising inherited with the app as a way to offset the app being free.

I'll let others debate whether accepting advertising is a fair swap for a free app or not. I'm more concerned about what was uncovered in the research paper: "Unsafe Exposure Analysis of Mobile In-App Advertisements." Dr. Xuxian Jiang and his prolific research team have unearthed unsettling information about free apps designed for the Android operating system.

I've written so many articles with Dr. Jiang's help, that I just send him the questions and he graciously returns the answers. So let's get to it.

Kassner: I avoid apps that include advertising -- they're annoying and drain my phone's battery. From your paper, it seems this should be the least of my concerns. Would you describe what you have uncovered? Jiang: In-app ads may pose privacy and security risks. Some embedded in-app ad libraries collect personal information stored on the phone, which may not be justified for advertising purposes. Some ad libraries have dynamic-code loading capability that is often abused by existing malware to escape detection. Kassner: Something puzzles me. The paper states:

"Even though ad libraries come from a different developer and have different intentions than their hosting apps, they are afforded the same permissions."

I don't think many people realize that in-app ads have the same permission set as the app. I sure didn't. How is that possible?

Jiang: During installation, when prompted to check the list of permissions requested by the app, users typically only think of the host app. However, ad libraries receive the same permissions as the app.

This is due to a lack of isolation -- at the Android platform level -- separating the ad libraries from the host app. The main motivation behind our study is to argue for an isolation mechanism. It is also our hope that mobile-platform providers can take the lead in creating the required separation.

Kassner: So that's why in-app ads can download and execute code. Scary. That ability also bypasses any protection afforded by sandboxing. Something else I read in the NCSU news release:

"4,190 apps used ad libraries that allowed advertisers themselves to access a user's location via GPS."

So besides executing code, an ad could turn on the phone's GPS without user permission or knowledge?

Jiang: That's not completely accurate. Ads built into apps with location permission can access a user's location via GPS, assuming the GPS is turned on. I believe actually enabling the GPS requires a different permission. Kassner: That's good news; at least we still control the GPS. I do remember writing about the enable permission with William Francis. I see that once again your team built a tool -- AdRisk -- to automate your analysis.

Would you briefly explain what AdRisk does?

Jiang: The tool looks for suspicious (mis)uses of potentially dangerous Android permissions and reports the corresponding execution path, which is then verified. Kassner: With this attack vector now proven, what is your biggest concern? Jiang: The biggest concern is there's no easy solution. Changes in the current app-monetization model and the platform may be required. And if that happens, app developers should be required to incorporate the changes when in-app ads are used. Kassner: It seems that not using free apps with in-app advertising is our only recourse. Are there any other solutions? Jiang: Right now, it's the only option. In the future, one solution might be to certify the safe use of existing ad-libraries. If apps only include certified ad libraries, they can certainly be considered safe to use. Kassner: Thank you Dr. Jiang for your insight and solid research. My Android-investigative partner, William Francis agrees, mentioning:

"Dr. Jiang is so thorough technically; there is never any disputing his findings. The only issue I ever have with his findings is that sometimes they run counter to my livelihood."

That comment tripped my journalistic button. I asked William what he meant.

Francis: It's all about click counts. The more people click on the ads displayed in an app, the more money is made by the app developer and the ad network. So it's important to individualize ads for each user. That means knowing as much as possible about the user - for example, interests and location.

I'm not defending the ads or the Android permissions system. I think there definitely needs to be safer, finer controls, and oversight. I'm just pointing out that -- in general -- app developers and ad-network owners are not sitting in a lab somewhere thinking up diabolical ways to violate user privacy.

They are focused on trying to make the best of an evolving market that operates within tight financial parameters. That doesn't mean there aren't bad guys out there waiting to take advantage of these new opportunities. We all know there are.

In-app advertising represents a tricky scenario and solving it to everyone's satisfaction is technically challenging. It's also a relatively new problem and as such, I believe in time will get worked out. What we hope is that it gets worked out through intelligent discussions fueled by authors like you and researchers like Dr. Jiang.

The alternative of some high-profile case of abuse would be bad for everyone involved in the smart phone and app market, including consumers.

Final thoughts

Whether an app gets the requested permissions or not is ultimately our choice. Until recently, I had no problem with that. I could research the app and its developer -- then decide. Apparently there's more to it and hidden from our view.

A heart-felt thanks to Xuxian, his research team, and William for their expert help in shedding light on this controversial subject.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

37 comments
JRogersUT
JRogersUT

I noticed comments above regarding if the ad libraries still exist in the non-free version of an application. That being said is there any way to truly protect yourself from the ads and the privacy and security issues they bring? I do appreciate the quick synopsis and insight into the issue. I did not realize that the ads were receiving the same permission as the actual application.

michaellashinsky
michaellashinsky

If the ads are targeting me, and I never click an ad, theoretically shouldn't the ads just stop? (Of course I know that will never happen...) Seriously, I NEVER click ads, web or phone, (except the occasion where my fat fingers hit one on my phone by accident,) so no matter how many ads they throw in front of my face, the advertised product is not being sold to me, and no click through revenue is being generated for the app developer. The ad company is taking money from their customers, but their customers are not going to get any money from me. Clicks don't generate revenue, sales generate revenue! I am willing to pay a reasonable fee for content and apps, but no reasonable system is in place for that. So they pump ads at me that I ignore, (I get less when my wifi is turned off,) and I block 'em or ignore 'em. This system has got to break down eventually. It is false!

andrew232006
andrew232006

This is scary. Should I be worried about trojans being installed, losing my credit card info, or passwords being stolen?

croberts
croberts

Just download AdFree, and all ads redirect to your local IP (127.0.0.1), i.e. - they do not work or show up at all. In all my free games and apps I always just see an empty black space where ads are supposed to be. It patches your host file (if you are rooted, which I doubt any techie on here isn't), then all ads are disabled in any app that has them.

massimj
massimj

It's nice that someone is looking out for the average Joe, but how about some specific examples of what specific apps are doing, and which are the most dangerous? It is one thing to know where a person is to improve the function of the application, such as Wikihood, but it is another to do it with some malicious intent. Some might say it would be illegal to mislead a person to allow location services because they think it is important for the function of the apps, and another to use the information to gain some other personal information to rob you of something. I compare this article to one that tells people that Guns can kill people, and many people are alloowed to buy them. There is potential here, but not a problem for the majority. if someone is committing a crime, let it be known. Just because the potential is there, does not mean our favorite apps are dangerous to us.

cliff
cliff

Something like: 1) Ads have the same access to private info as the host APP - the free version 2) Ads can be displayed only, no access to processing - the $0.99 version 3) No ads allowed - the two buck chuck version. The installation process should require the authorisation of of level 1. This would probably be difficult to enforce though.

basil.cinnamon
basil.cinnamon

Are there any ad-blocking apps out there, similar to what we have for browsers on PCs?

btracy713
btracy713

These days, everything we do is being tracked by smartphones and tablets, your locations are constantly being tracked, our digital footprints tell our stories.

btracy713
btracy713

It all goes back to "Nothing in life is free" there is a price to pay for everything in this world, only problem with this is that most don't know the price of free apps, check the code, its deceptive and down right CRIMINAL!

HypnoToad72
HypnoToad72

There used to be plenty of iOS reports showing Apple quietly collecting data and the rest of it all... Maybe "market forces" will demand these companies restoring privacy and freedom and the rest of the shoveled buzzwords... Or maybe they won't. Dunno.

bboyd
bboyd

Here I was just idly ignoring my privacy... How am I going to justify a new phone! Good news is I assumed that these things ruined my privacy and still wait to find the guts to overcome my paranoia. So the real take away is the "Their ain't no such thing as a free lunch" axiom still holds in a modern world.

Michael Kassner
Michael Kassner

New post: Did you know that the built-in ads in free apps get the same permission set as the host app? That has serious implications regarding privacy and security.

Michael Kassner
Michael Kassner

As for malware, William and I are more concerned about malicious apps that manage to sneak into Play Store or other app markets. As for passwords and credit card info, I would refrain from having that on my phone unless I had it in some kind of an encrypted vault. For example, LastPass and 1Password have apps for mobile devides.

Michael Kassner
Michael Kassner

That is a good idea for those that root their phones. But, there are probably millions of people that don't want to have to root their phones and lose their warranties and update path.

bboyd
bboyd

Please don't attribute MK's article to paranoid delusions. The risk does exist and, like most known vulnerabilities in the computer world, will be exploited. The simple fact is that the ad servers do not need and should not need the level of permissions being given to most apps. Excessive access to ad servers allowed malware to originate from places like the London Times and other trustworthy sites. Never mind the lax privacy controls and tracking that ad agents use to improve monetization of individual ad views. The Apps themselves often ask for excessive permissions just so the ad servers can "exploit" the access it gives them. Telling us about these facts is not crying wolf, its awareness.

Michael Kassner
Michael Kassner

I really don't know how this will be resolved. They have been banging away at it on the computer side for several years and are not getting anywhere.

authorwjf
authorwjf

You are the ad blocker my friend. Seriously, most paid apps cost about a dollar. If you don't want the ads why not just buy the app? As an app developer I assure you running ads in my apps is not by choice. It makes me significantly less profit and means I have to support 2 versions of the application: an ad-supported version and a paid version. A general ad-blocker for phone apps just means developers will stop making free versions of apps. I'm not saying this is bad, just pointing out that it is users who are demanding we keep cranking out the ad-supported (free) versions of our apps, not the other way around.

Michael Kassner
Michael Kassner

Hardening firmware may not work, if we give the app permission. It's the app developers and ad networks that need to make changes. As Dr. Jiang said, this is a real difficult problem to solve.

Michael Kassner
Michael Kassner

You can shut the phone off or use airplane mode. But as soon as you turn it back on, the phone will attach to the nearest cell tower and they have you located to within that range.

Michael Kassner
Michael Kassner

What Dr. Jiang and I want to point out is that the potential is there and users have no way of knowing if their privacy is being invaded.

Stalemate
Stalemate

Apple was one of the only manufacturers who openly embraced CarrierIQ: "Apple, for one, has admitted to using Carrier IQ on its iOS devices, but assured that most of its iOS 5 devices no longer use the software and that future updates would completely remove it. [via AppleInsider]" Paying for an app does not guarantee your habits are not being monitored.

Michael Kassner
Michael Kassner

If we use computer ads as an example they have decided that users will have to opt out of behavioral advertising. I'm thinking the free versus pay model is the mobile equivalent.

Michael Kassner
Michael Kassner

I had problems with the free app/in-app ad format right from the start. A one-time payment was cheaper to me than letting an ad network use my bandwidth. I now see there are more serious things to beware of as well.

HypnoToad72
HypnoToad72

If it's ad-based, then that is how the app is paid for. Ads and what might be collected. No big deal. Cross the line and that's when people get unhappy - despite paid apps (hi Apple!!) they still collect, and no doubt everyone else does. Quietly or otherwise. Not that I've become cynical or anything...

HypnoToad72
HypnoToad72

probably with as much thought and tact, to be honest...

Michael Kassner
Michael Kassner

One thing a bit more alarming is with this leakage we do not know where the information is going, if it is being culled. Ad networks have not been that good at vetting ads on websites, and this is a similar situation.

david.hunt
david.hunt

While some apps may come in a paid package that does not include Ad Libraries, others come as a single package with the option to pay for a Key to turn off the Ads. Does entering the Key to turn off the Ads disable use of the linked libraries, or just disable display of the Ads. In other words, has it just given the user a warm fuzzy feeling without actually reducing access to private information by the Ad network?

Michael Kassner
Michael Kassner

Where is the line drawn. The researchers have examples of where the ad networks were capturing information. Also, I personally have not seen any mention anywhere in app EULAs about permissions being passed along to the ad network. That bothers me.

Michael Kassner
Michael Kassner

If you remember the issues with the NYT and their TPV ad network. The problem was no vetting of the players--ad developers, advertisers, and ad networks. Anyone of them can inject malware or ask for sensitive information.

authorwjf
authorwjf

I can answer this to a degree. Generally the only time the ad network software gets any control in the app is when we instantiate the ad window. So in my experience popular ad networks like admob don't get a chance to do any of their behind the scenes stuff if you don't display the ad window. That said, apps that have two versions in the market, one paid and one ad supported, are ultimately a safer bet because if the developer does his/her job correctly the "ad free" version should usually require fewer permissions than the version that includes the ad library.

Michael Kassner
Michael Kassner

David, Dr. Jiang has not looked into it but said this: Regarding the option to pay for a key to turn off the ads, I have not looked into the mechanism to turn off ads yet. But if it just gave the illusion of not displaying the ads but still running the ad libraries behind the scheme, the exposed risks will likely remain. I hope that helps a little.

Michael Kassner
Michael Kassner

To be honest, I do not have an answer for you. I will ask Dr. Jiang for his opinion and get back to you. Thanks for asking.

david.hunt
david.hunt

As the Ad Libraries are deliberately included in the application by the App Developer, then that person is responsible for the usage of data accessed by that application (which includes the Ad network to whom the library grants access). As such, the use of the data is governed by the Privacy Policy of the developer, unless the app includes a separate one for the advertising network. Laws in Australia, the UK and the US are very specific about privacy, so it will be interesting to see the litigation when some significant misuse arises. It will be interesting