Advertising code in free smartphone apps an ongoing security risk
Mon 5 Jan 2015
As the mobile revolution continues to overtake the desktop age, the verbosity of license agreements for digital services and applications has gradually given way to uncompromising ‘agree’ screens at install time which demand access to a user’s contacts and other private information in order to complete installation – even for software that cannot possibly have need of this kind of access. The objective, either through data collection or direct in-app advertising, is usually commercial, and new research from security research company MWR InfoSecurity indicates that the ad-serving/collection networks in many ‘free’ mobile apps presents a significant security/privacy risk for the end-user.
InfoSecurity’s Robert Miller explains that the exploitation of ‘cross application’ data, made possible when two installed apps are restricted by the mobile OS from communicating with each other but which both share an ad-serving infrastructure, can expose users to hackers via vulnerabilities in advertising code – an attack vector which predates the smartphone era by many years, since hackers have always viewed a website’s ad network as its easiest point of entry for SQL injections attacks, data theft and other incursions.
Miller said: “Most mobile devices contain a security model that means app A can’t easily see the data of app B and also can’t use the same permissions. So if app A can see your SMS and app B can’t, app B can’t ask app A for your SMS. However, if app A and app B contain code from the same ad network, then the ad network can view your SMS, if it wishes […] If attackers insert themselves into the picture by taking advantage of these vulnerabilities in coding, it is highly likely for them to steal user data.”
The research notes that the high linear permissions of an installed app can permit ads served through it to perform a range of privacy-breaching acts, including GPS location tracking, the sending and/or reading of SMS and email messages, the creation or deletion of files stored on the phone, the ability to turn on the phone’s camera and/or microphone – and even the capability of exposing personal data to eavesdroppers and the making of phone calls without the user’s permission.
Ad networks have always created connections between digital entities such as websites and applications which are supposed to be ‘walled’, traditionally through tracking cookies in website browsers. In 2011 ad-serving company Phorm caused a national scandal by signing agreements with all the major UK network providers to intercept customers’ data-packets at a deep network level in order to build up a consumer profile of the end-user (the scheme was ultimately made ‘opt-in’ under public pressure).
But stealth seems to have become redundant – these days we are handing over high-level permissions on our personal data either for ease of use on service networks such as Google, Facebook and Apple, or throwing it away in the excitement of an app install routine.
Robert Miller warns: “Consumers need to understand the eco-system of mobile applications. Free apps are supported by ad networks that trade in data. While users may not be paying for that nifty application in monetary terms, they will be paying with their information. And this means that user data is only as safe as the ad network.”
“What we demonstrated,” Miller continued, “was that due to the vulnerable and privileged advertising code, the app itself was undermined. Advertisers need to take more responsibility for security and in the meantime users should be doubling their vigilance against being overly blasé about letting apps access their sensitive mobile data.”
But Miller himself notes the lack of granularity or choice in most app install routines at the point where the installer demands access to your contacts, or to your location. “[There] is rarely a chance to pick and choose the permissions you are comfortable with, so if you don’t agree with any one of the permissions requested, don’t install the app.”