If you are wondering what I’m talking about, you’re not alone. Alarmingly few Android-phone users realize they are granting completely unknown entities permission to access their sensitive information.
Here’s an example. The following slide lists the permissions that must be agreed to in order to install a free game:
If you accept — the game and the ad network embedded in the game have permission to access the above information as they see fit.
After explaining the above relationship, people invariably ask two questions, “What’s an ad network?” To which I respond, “Advertising networks are go-betweens, connecting advertisers with companies having websites or in this case apps that act as advertising platforms.”
The second question is almost always, “Which ones? I’m not so sure I want to give an ad agency carte blanche.” Here’s where I lose “street cred”, I have to admit that I don’t know which ones. Thankfully, the mobile-security company Lookout Labs has come to my rescue.
Ad Network Detector
“Ad Network Detector scans the apps on your Android device for the presence of any of 35 mainstream ad networks, including those that are capable of displaying out-of-app ads.
Ad Network Detector puts the information that we’ve gathered about ad networks at your fingertip. This includes description of what types of ads can be displayed, as well as what personal information is collected.”
How it works
Ad Network Detector is free — no advertising (my attempt at humor). After installation, you will see the following screen:
If you click on “Start Scan,” the app will cycle through all of the installed apps. When it is finished, Ad Network Detector will present a screen similar to the next slide:
In the above example, Ad Network Detector found two ad networks collecting location information and three collecting device or mobile network information. When you drill down, you find the names of the ad networks and the apps they are associated with:
At this point, you have two options; delete the app or opt-out of targeted advertising. I had several questions about the app, particularly what happens if you opt-out:
I got in touch with Amy Werminski, Marketing Associate at Lookout Labs, and my contact on earlier articles about Lookout products. She passed my questions on to Derek Halliday, Senior Security Product Manager at Lookout Labs.
Kassner: I wrote about Privacy Advisor when I reviewed Lookout last year. How is Ad Network Detector different from it?
Halliday: Lookout’s Privacy Advisor helps you manage your privacy by listing the apps that can access certain data and features — this information is based on the permissions that each application requests. You can quickly view a list of the apps that have access to your device’s location, contacts, or identity information. Privacy Advisor provides a detailed report on the capabilities for any given application.
In contrast, Ad Network Detector provides insight into the information that ad networks (integrated within the apps on your phone), can access. Many applications work with ad networks to serve ads inside their app, particularly free applications that rely on ads for revenue.
Embedded ad networks piggyback on the permissions requested by the application itself to access information about you or your device, and it’s not always clear whether a given permission is required by the app or an ad network. Personal data is often gathered so advertisers can show you more relevant ads and track results of ad campaigns.
The Ad Network Detector provides details of the ad networks on your phone and shows the private information they can access.
Kassner: The press release states:
“We’ve been particularly watchful of ad networks that are capable of pushing out-of-app ads to the default Android notification bar, placing generically designed icons on the mobile desktop, and changing browser settings, like bookmarks or homepage.”
I understand everything except “out-of-app ads.” What are they?
Halliday: Most people are familiar with in-app advertising — it’s the most dominant form of mobile advertising. A few months ago, we began to see ads that are displayed outside the context of an app. We also received feedback from many of our users that this form of advertising was confusing and annoying. “Out of app ads” refers to this type of ad display, which includes a number of distinct advertising tactics, including:
- Displaying ads in the standard Android notification bar.
- Adding bookmarks to the mobile browser that link to ad sites.
- Adding shortcuts to the mobile desktop that link to ad sites.
Kassner: Ad Network Detector provides an opt-out option link for each ad network. It seems the phone owner will still receive ads. Does opting out stop the collection of data or just change what ads are presented?
Halliday: It varies by each ad network. The majority of ad networks, such as AdMob, allow smartphone users to opt-out of receiving targeted ads. In most cases you’ll still receive untargeted advertisements.
Other ad networks, such as AirPush, allow a user to opt out of receiving all push notification advertisements to their device. Opting out of ad networks may also curtail the collection of personal mobile data, but this is not guaranteed and varies depending on the ad network.
Kassner: Is there a catch 22 at play here? The only way the phone owner can find out what ad networks are involved and what information is being collected is after the app is installed. Isn’t that too late — the information could already be captured by the ad network?
Halliday: Firstly, it’s never too late to learn what information you’ve already provided to ad networks. In our experience, this is a topic that few users fully grasp, and this is a primary purpose of the Ad Network Detector.
To respond to your particular question, it’s not necessarily too late. Even if an app has been downloaded and installed, most ad networks cannot collect information until a user runs the app. For wary users, we recommend running the Ad Network Detector before launching a newly downloaded application to see what ad networks are present on your device and what information they can access.
Based on the ad networks embedded, you’ll be better equipped to decide whether you want to keep the app or not. In addition, certain types of information, such as location, are temporal in nature, and by choosing to remove any apps already installed/running, a user can ensure that their location is no longer available to any given ad network.
I always ask William Francis, my Android investigative cohort, for his opinion on matters of Android. Here is what he had to say about Ad Network Detector:
“I have a couple of things I would like to mention. As an app developer, I have the option to change out the ad network I’m using after you’ve already downloaded and installed my app in an update. And, I can and often do include more than one ad network in my apps. So that if one is not producing revenue I can switch to another on the fly. I am curious as to how Ad Network Detector handles these 2 scenarios.
Another thing I’ll mention is that while I support Admob’s ability to allow users to receive non-targeted ads, I’m not a fan of ad networks that allow users to opt out altogether. In fact, I won’t use those and you can guess why. No ads on a free app = no $$ for me and my hard work.”
I check out the developer when I’m interested in a new phone app. Not being able to vet a third party that will have access to the identical information as the app developer did not sit well with me. Ad Network Detector is just the peace-of-mind I was looking for.
I’d like to thank Amy and Derek of Lookout Labs for helping me understand the intricacies of Ad Network Detector.