Android apps that carry built-in adverts, which account for most of the free ones, could be putting users’ privacy and security at risk. This is the finding of a new study by researchers from North Carolina State University in the US.
Its team looked at 100,000 apps on the official Android Market (now called Google Play) between March and May 2011. More than half contained “ad libraries” that retrieve ads from remote servers to display on handsets. These ads can be supplied by Google or other third parties. However the ad libraries use the same set of permissions granted when you download and run an app.
The researchers found that 297 of the apps it studied included what they call “aggressive ad libraries”, which can download and run code from remote servers.
More than 48,000 of the apps could track user locations by GPS. Others could access core information such as call logs, stored phone numbers and a list of every installed app on the device.
This initial report doesn’t name examples of problematic apps and, in fact, most apps themselves are harmless. But handing over this access to potentially unknown third parties raises obvious concerns. The study describes the aggressive ad libraries in particular as using an “unsafe mechanism” that could be exploited by hackers to bypass existing Android security.
The BGR website quotes Dr Xuxian Jiang, an assistant professor of computer science at NC State and co-author of a paper explaining the work: “Running code downloaded from the internet is problematic because the code could be anything. For example, it could potentially launch a ‘root exploit’ attack to take control of your phone, as demonstrated in a recently discovered piece of Android malware called RootSmart.”
The study encompassed Android but it may not be isolated to that system.
“To limit exposure to these risks, we need to isolate ad libraries from apps and make sure they don’t have the same permissions,” says Jiang. “The current model of directly embedding ad libraries in mobile apps does make it convenient for app developers, but also fundamentally introduces privacy and security risks. The best solution would be for Google, Apple and other mobile platform providers to take the lead in providing effective ad-isolation mechanisms.”
Whether measures such as rooting your phone and using an ad-blocker can completely protect you from these vulnerabilities is something the boffins may be able to explain in more detail. The research paper will be presented on 17 April at the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks in Tucson.
It’s not a good time for the free apps market. Another recent report claimed that ad-based apps also consume more battery power.
Although we all love free stuff, maybe more of us should just save up the pennies and actually pay for the full pro versions?