Smartphones

App spots hidden ad networks on Android phones

Who gets to use private information stored on your phone should be your choice. Michael Kassner found an app that makes it so.

Where is it written that ad networks hosted by free Android apps get to inherit the same permissions given the app? If you know of an app privacy policy actually declaring that arrangement, please let me know.

If you are wondering what I'm talking about, you're not alone. Alarmingly few Android-phone users realize they are granting completely unknown entities permission to access their sensitive information.

Here's an example. The following slide lists the permissions that must be agreed to in order to install a free game:

If you accept -- the game and the ad network embedded in the game have permission to access the above information as they see fit.

Ad networks?

After explaining the above relationship, people invariably ask two questions, "What's an ad network?" To which I respond, "Advertising networks are go-betweens, connecting advertisers with companies having websites or in this case apps that act as advertising platforms."

The second question is almost always, "Which ones? I'm not so sure I want to give an ad agency carte blanche." Here's where I lose "street cred", I have to admit that I don't know which ones. Thankfully, the mobile-security company Lookout Labs has come to my rescue.

Ad Network Detector

"Ad Network Detector scans the apps on your Android device for the presence of any of 35 mainstream ad networks, including those that are capable of displaying out-of-app ads.

Ad Network Detector puts the information that we've gathered about ad networks at your fingertip. This includes description of what types of ads can be displayed, as well as what personal information is collected."

Lookout Labs has had an app like this in mind for a while now. It started with Privacy Advisor almost eighteen months ago, graduated to Push Ad Detector and now finally Ad Network Detector.

How it works

Ad Network Detector is free -- no advertising (my attempt at humor). After installation, you will see the following screen:

If you click on "Start Scan," the app will cycle through all of the installed apps. When it is finished, Ad Network Detector will present a screen similar to the next slide:

In the above example, Ad Network Detector found two ad networks collecting location information and three collecting device or mobile network information. When you drill down, you find the names of the ad networks and the apps they are associated with:

At this point, you have two options; delete the app or opt-out of targeted advertising. I had several questions about the app, particularly what happens if you opt-out:

I got in touch with Amy Werminski, Marketing Associate at Lookout Labs, and my contact on earlier articles about Lookout products. She passed my questions on to Derek Halliday, Senior Security Product Manager at Lookout Labs.

Kassner: I wrote about Privacy Advisor when I reviewed Lookout last year. How is Ad Network Detector different from it? Halliday: Lookout's Privacy Advisor helps you manage your privacy by listing the apps that can access certain data and features -- this information is based on the permissions that each application requests. You can quickly view a list of the apps that have access to your device's location, contacts, or identity information. Privacy Advisor provides a detailed report on the capabilities for any given application.

In contrast, Ad Network Detector provides insight into the information that ad networks (integrated within the apps on your phone), can access. Many applications work with ad networks to serve ads inside their app, particularly free applications that rely on ads for revenue.

Embedded ad networks piggyback on the permissions requested by the application itself to access information about you or your device, and it's not always clear whether a given permission is required by the app or an ad network. Personal data is often gathered so advertisers can show you more relevant ads and track results of ad campaigns.

The Ad Network Detector provides details of the ad networks on your phone and shows the private information they can access.

Kassner: The press release states:

"We've been particularly watchful of ad networks that are capable of pushing out-of-app ads to the default Android notification bar, placing generically designed icons on the mobile desktop, and changing browser settings, like bookmarks or homepage."

I understand everything except "out-of-app ads." What are they?

Halliday: Most people are familiar with in-app advertising -- it's the most dominant form of mobile advertising. A few months ago, we began to see ads that are displayed outside the context of an app. We also received feedback from many of our users that this form of advertising was confusing and annoying. "Out of app ads" refers to this type of ad display, which includes a number of distinct advertising tactics, including:
  • Displaying ads in the standard Android notification bar.
  • Adding bookmarks to the mobile browser that link to ad sites.
  • Adding shortcuts to the mobile desktop that link to ad sites.
Kassner: Ad Network Detector provides an opt-out option link for each ad network. It seems the phone owner will still receive ads. Does opting out stop the collection of data or just change what ads are presented? Halliday: It varies by each ad network. The majority of ad networks, such as AdMob, allow smartphone users to opt-out of receiving targeted ads. In most cases you'll still receive untargeted advertisements.

Other ad networks, such as AirPush, allow a user to opt out of receiving all push notification advertisements to their device. Opting out of ad networks may also curtail the collection of personal mobile data, but this is not guaranteed and varies depending on the ad network.

Kassner: Is there a catch 22 at play here? The only way the phone owner can find out what ad networks are involved and what information is being collected is after the app is installed. Isn't that too late -- the information could already be captured by the ad network? Halliday: Firstly, it's never too late to learn what information you've already provided to ad networks. In our experience, this is a topic that few users fully grasp, and this is a primary purpose of the Ad Network Detector.

To respond to your particular question, it's not necessarily too late. Even if an app has been downloaded and installed, most ad networks cannot collect information until a user runs the app. For wary users, we recommend running the Ad Network Detector before launching a newly downloaded application to see what ad networks are present on your device and what information they can access.

Based on the ad networks embedded, you'll be better equipped to decide whether you want to keep the app or not. In addition, certain types of information, such as location, are temporal in nature, and by choosing to remove any apps already installed/running, a user can ensure that their location is no longer available to any given ad network.

William's thoughts

I always ask William Francis, my Android investigative cohort, for his opinion on matters of Android. Here is what he had to say about Ad Network Detector:

"I have a couple of things I would like to mention. As an app developer, I have the option to change out the ad network I'm using after you've already downloaded and installed my app in an update. And, I can and often do include more than one ad network in my apps. So that if one is not producing revenue I can switch to another on the fly. I am curious as to how Ad Network Detector handles these 2 scenarios.

Another thing I'll mention is that while I support Admob's ability to allow users to receive non-targeted ads, I'm not a fan of ad networks that allow users to opt out altogether. In fact, I won't use those and you can guess why. No ads on a free app = no $$ for me and my hard work."

Thanks, William

Final thoughts

I check out the developer when I'm interested in a new phone app. Not being able to vet a third party that will have access to the identical information as the app developer did not sit well with me. Ad Network Detector is just the peace-of-mind I was looking for.

I'd like to thank Amy and Derek of Lookout Labs for helping me understand the intricacies of Ad Network Detector.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

13 comments
gevander
gevander

Add a QR code for those of us that read the article on our PC and want to install the app on our phones. It will make it easier for us to get to the app. (Yeah, "lazy user/reader syndrome.")

Deadly Ernest
Deadly Ernest

To me, a phone is a thing I make and receive telephone calls on, end of story. So call me a recidivist and be happy, but I use technology for my convenience and my pocket, not for someone else to make money by annoying the hell out of me. As to the opt out programs and ad blocks systems, nearly all of them also come with a white list, that's a list of approved ad suppliers who've paid the organisers of the blocking system to allow theirs through. Thus you can never be sure they really work, either.

Gisabun
Gisabun

And who says Ad Network Detector isn't doing the same? :-) [Sort of who's policing the police?]

seanferd
seanferd

But it sure seems like platform vendors are just making things increasingly difficult, never mind the app and malware vendors. Best wishes for the smart/mobile device and cloud consumers.

Michael Kassner
Michael Kassner

New post There's an app for that now. Lookout Labs has an app that seeks out ad networks and what permissions are being granted to them.

Michael Kassner
Michael Kassner

I contemplated doing as much, then I wrote this article about QR Codes: http://www.techrepublic.com/blog/security/beware-of-qr-codes/7191 I mainly write about IT and Android security -- hence my precautionary tale. If you still want me to add a QR Code, let me know and I will. You may be interested, I am in the middle of writing about an app similar to Ad Network Detector, so please stay tuned.

Michael Kassner
Michael Kassner

How have you been, haven't seen you on the forum for a while?

Michael Kassner
Michael Kassner

Ad Network Detector does not ask for zero permissions.

Deadly Ernest
Deadly Ernest

But some more recent forum changes have counteracted most of the problems I had with the previous set of changes. Been busy writing a lot of stories too. Hope you're well and stay well. If you've not found it yet, you should look at Zorin OS www.zorin-os.com I've a lot of retired people as clients and they don't want the fancy stuff they get with the new systems, they just want a better version of their old Win 98 Win 3, or 2000 systems on modern hardware, and this does that as the premium version has a set of optional GUIs that include Win 2000, Win XP, and Win Vista for only 7 Euros - set one person up with Zorin OS 5 using the Win 2000 GUI, Fire Fox, Thunderbird, and Libre Office to replace their Win 98 system with Fire Fox, Thunderbird, and Office 97 - - they were fully operational as soon as it booted as they were hard pushed to tell any difference. Familiarity ALWAYS wins the day.

Michael Kassner
Michael Kassner

Thanks for the tip. Hope you will stay healthy as well.

Editor's Picks