Some Android applications contain adware that often exposes user’s personal information, according to a new study by researchers at North Carolina State University that documents how Android app ad libraries tap into unnecessary data.
These results clearly show the need for better regulating the way ad libraries are integrated in Android apps.
Ad libraries contained in many freely available Android applications allow advertisers to access information contained on mobile devices. The data is typically unnecessary for the ads to function properly, according to the research, which was conducted with a German research team from Technical University Darmstadt.
The research team examined 100,000 applications from Google Play, formerly known as the Android Market, and the ad libraries contained within them. One hundred different Android ad libraries were contained within 52.1% of the apps chosen.
Mobile application security issues
A panel of security experts at RSA Conference 2012 painted a bleak picture of the state of mobile applications and warned of the possibility of weaponized apps on both Android and iOS devices.
In this tip, lean how (MDM) and mobile application management (MAM) tools can centrally manage both personal and business mobile application security if properly implemented.
“Our results show that most existing ad libraries collect private information,” the report, entitled “Unsafe Exposure Analysis of Mobile In-App Advertisements,” stated. (.pdf) That private information could be anything from the user’s phone number to browser bookmarks on the device.
Ads are commonly used by Android developers in free mobile apps in order to make a profit. Android adware has been identified as a potential problem by security experts and privacy advocates. Many users don’t mind being shown ads in exchange for a free app, but experts say users might reconsider using them if they knew those ads are accessing the same privileges as the apps themselves.
While it may be necessary for an application or even an advertiser to have access to a smartphone’s GPS location, it is difficult to understand why advertisers need access to the user’s phone number, call log, contacts, or a list of other apps on the device, according to the researchers.
“Moreover,” the report detailed, “additional ones go a step further by making use of an unsafe mechanism to directly fetch and run code from the Internet, which immediately leads to serious security risks.”
Five of the libraries identified had a feature that allowed them to load code at runtime, which can be particularly dangerous, according to the study.
“These ad libraries are effectively impossible to statically analyze as a result; at a whim, their code can be changed. A malicious or compromised ad network could command its ad libraries to download a botnet payload or root exploit, for example,” the report stated.
One particular case that was found to fetch and load suspicious payloads was reported to Google during the course of the study. The seven applications found to contain that library were removed from the Android Market. That action shows the seriousness of these privacy concerns.
“These results clearly show the need for better regulating the way ad libraries are integrated in Android apps,” the report said.