Free phone apps come with baggage. The baggage I’m referring to is the advertising inherited with the app as a way to offset the app being free.

I’ll let others debate whether accepting advertising is a fair swap for a free app or not. I’m more concerned about what was uncovered in the research paper: “Unsafe Exposure Analysis of Mobile In-App Advertisements.” Dr. Xuxian Jiang and his prolific research team have unearthed unsettling information about free apps designed for the Android operating system.

I’ve written so many articles with Dr. Jiang’s help, that I just send him the questions and he graciously returns the answers. So let’s get to it.

Kassner: I avoid apps that include advertising — they’re annoying and drain my phone’s battery. From your paper, it seems this should be the least of my concerns. Would you describe what you have uncovered?
Jiang: In-app ads may pose privacy and security risks. Some embedded in-app ad libraries collect personal information stored on the phone, which may not be justified for advertising purposes. Some ad libraries have dynamic-code loading capability that is often abused by existing malware to escape detection.

Kassner: Something puzzles me. The paper states:

“Even though ad libraries come from a different developer and have different intentions than their hosting apps, they are afforded the same permissions.”

I don’t think many people realize that in-app ads have the same permission set as the app. I sure didn’t. How is that possible?

Jiang: During installation, when prompted to check the list of permissions requested by the app, users typically only think of the host app. However, ad libraries receive the same permissions as the app.

This is due to a lack of isolation — at the Android platform level — separating the ad libraries from the host app. The main motivation behind our study is to argue for an isolation mechanism. It is also our hope that mobile-platform providers can take the lead in creating the required separation.

Kassner: So that’s why in-app ads can download and execute code. Scary. That ability also bypasses any protection afforded by sandboxing. Something else I read in the NCSU news release:

“4,190 apps used ad libraries that allowed advertisers themselves to access a user’s location via GPS.”

So besides executing code, an ad could turn on the phone’s GPS without user permission or knowledge?

Jiang: That’s not completely accurate. Ads built into apps with location permission can access a user’s location via GPS, assuming the GPS is turned on. I believe actually enabling the GPS requires a different permission.
Kassner: That’s good news; at least we still control the GPS. I do remember writing about the enable permission with William Francis. I see that once again your team built a tool — AdRisk — to automate your analysis.

Would you briefly explain what AdRisk does?

Jiang: The tool looks for suspicious (mis)uses of potentially dangerous Android permissions and reports the corresponding execution path, which is then verified.
Kassner: With this attack vector now proven, what is your biggest concern?
Jiang: The biggest concern is there’s no easy solution. Changes in the current app-monetization model and the platform may be required. And if that happens, app developers should be required to incorporate the changes when in-app ads are used.
Kassner: It seems that not using free apps with in-app advertising is our only recourse. Are there any other solutions?
Jiang: Right now, it’s the only option. In the future, one solution might be to certify the safe use of existing ad-libraries. If apps only include certified ad libraries, they can certainly be considered safe to use.
Kassner: Thank you Dr. Jiang for your insight and solid research. My Android-investigative partner, William Francis agrees, mentioning:

“Dr. Jiang is so thorough technically; there is never any disputing his findings. The only issue I ever have with his findings is that sometimes they run counter to my livelihood.”

That comment tripped my journalistic button. I asked William what he meant.

Francis: It’s all about click counts. The more people click on the ads displayed in an app, the more money is made by the app developer and the ad network. So it’s important to individualize ads for each user. That means knowing as much as possible about the user – for example, interests and location.

I’m not defending the ads or the Android permissions system. I think there definitely needs to be safer, finer controls, and oversight. I’m just pointing out that — in general — app developers and ad-network owners are not sitting in a lab somewhere thinking up diabolical ways to violate user privacy.

They are focused on trying to make the best of an evolving market that operates within tight financial parameters. That doesn’t mean there aren’t bad guys out there waiting to take advantage of these new opportunities. We all know there are.

In-app advertising represents a tricky scenario and solving it to everyone’s satisfaction is technically challenging. It’s also a relatively new problem and as such, I believe in time will get worked out. What we hope is that it gets worked out through intelligent discussions fueled by authors like you and researchers like Dr. Jiang.

The alternative of some high-profile case of abuse would be bad for everyone involved in the smart phone and app market, including consumers.

Final thoughts

Whether an app gets the requested permissions or not is ultimately our choice. Until recently, I had no problem with that. I could research the app and its developer — then decide. Apparently there’s more to it and hidden from our view.

A heart-felt thanks to Xuxian, his research team, and William for their expert help in shedding light on this controversial subject.