09:34 AM

Free Android Apps Have Privacy Cost

More than half of free Android apps use advertising networks and exchanges. Most are legit, but about 5% interface with 'aggressive' networks that could threaten your privacy.

Can you ever get something for free? When it comes to smartphone apps, don't bet on it.

Most smartphone applications that are provided "for free"--both for iOS and Android--want something in return, and the tradeoff often comes at the expense of users' privacy. According to mobile security firm Lookout, for example, more than half of free Android apps use advertising networks and exchanges.

While most people will choose to trade advertising for access to a free app, Lookout warned that over 5% of free Android apps interface with at least one "aggressive" ad network that exhibits behavior that borders on malicious. By Lookout's count, free Android apps that interface with aggressive advertising networks have been downloaded by consumers at least 80 million times.

[ Google recently removed from Google Play malware disguised as two popular games. Read more at More Android Malware Pulled From Google Play. ]

"The presence of aggressive ad networks in mobile apps is one of the most prevalent mobile privacy issues today," said Lookout CTO Kevin Mahaffey via email. As examples of aggressive techniques, he pointed to push advertising being delivered via notification bars in devices, advertising programs that create their own desktop icons or shortcuts, and programs that modify browser bookmarks or change the default mobile browser homepage to an advertiser-selected site.

Mahaffey's warning was issued on the eve of the National Telecommunications and Information Administration, which is part of the Department of Commerce, convening a mobile privacy stakeholder meeting, scheduled for Thursday in Washington.

Springboarding off the White House's Consumer Privacy Bill of Rights, proposed earlier this year, the meeting's principle objective--according to the official overview--is to begin discussions about the best way to design "a code of conduct to provide transparency in how companies providing applications and interactive services for mobile devices handle personal data."

According to the NTIA, "a code of conduct might address how best to convey data practices to consumers who download mobile apps and use interactive mobile services." As seems to so often be the case when it comes to protecting consumer privacy online, however, the federal government is already lagging moves by various states.

In the case of mobile apps, California in particular has been leading the privacy charge. To date, the state has gained assurances from the six technology companies with the largest mobile app market platforms--Amazon, Apple, Google, HP, Microsoft, and Research In Motion, as well as Facebook, that they will require app developers to clearly detail to consumers exactly which data they're collecting, and for what purpose. All app developers will have to include that information in their applications' privacy policies. As a result, California's program stands to improve transparency not just for the state's residents, but all U.S. consumers.

Of course, not all advertising networks would be covered--or necessarily named--via California's code of conduct. So how might a federal-level code of conduct improve matters? One of the principle mobile-advertising-related privacy concerns, according to Lookout, is simply the opaque way in which so much mobile data is currently collected and shared by advertisers. "The mobile advertising ecosystem consists of complex relationships between ad providers, app publishers, and end users. Due to this complexity, it's often difficult for consumers to grasp the degree to which their information has been collected and shared," read a recently released report from Lookout, "Mobile App Advertising Guidelines." As the title suggests, the report contains Lookout's recommendations for rules that all mobile app developers should follow, unless they want their software labeled as "adware" and blocked by security products.

Furthermore, unless advertisers come clean about what information is being collected and shared, they should expect to be regulated, warned Lookout. "Industry regulation, which increasingly becomes a possibility as new, aggressive forms of ad delivery and information collection are explored, is something that can be avoided only with full information disclosure to end users," said the report.

Besides the aggressive advertising practices noted above, "many ad providers are deploying new types of functionality linked to ad touch actions, including triggering of outgoing phone calls, text messages, or creation of calendar events," according to the report. In other words, the mobile advertising ecosystem might evolve in ways that aren't beneficial to consumers. "Given the pace at which the mobile ecosystem is moving, it's important that standards are developed to ensure that private user data is accessed and managed appropriately, and that controversial behavior is properly highlighted," the report stated.

Mobile app advertising standards would apply not just to advertisers, but also developers, which could add some security rigor to current development practices. Even when smartphone app developers' intentions appear to be trustworthy, their software can handle users' personal information in insecure ways, thus exposing the data to the threat of interception. Earlier this year, for example, iOS apps Path and Hipster were found to be leaking contact data. While researchers didn't suggest that either application development firm was grabbing people's contact information for nefarious purposes, the wholesale transmission of people's address books in unencrypted format certainly did nothing to protect the privacy of users' data.

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/14/2012 | 3:49:22 AM
re: Free Android Apps Have Privacy Cost
> warned that over 5% of free Android apps interface with at least one "aggressive" ad network t

Wow. A whopping 5%. That's far from a major problem.
User Rank: Apprentice
7/14/2012 | 3:48:14 AM
re: Free Android Apps Have Privacy Cost
The OS needs a fix: If I see *ANYTHING* in my notification-bar that is spam... 1 long-click... uninstalls the app that made it.


Also, I have *NEVER* seen any apps that make random shortcuts, or change my browser bookmarks. The OS could easily prevent that. Only allowing the app that made the data... to change the data.

User Rank: Apprentice
7/13/2012 | 7:35:07 PM
re: Free Android Apps Have Privacy Cost
These initiatives are a good idea, but who knows what impact they will have and when? In the meantime, consumers should make wise choices.

I learned my lesson about free apps with ads from supposedly reliable vendors years ago when I opted for free Grokster on my PC to save $29.95. That price differential sure made free seem like a reasonable choice and Grokster was getting all kinds of favorable press. A week later I detected that my PC had been conscripted into a spybot army. Ouch!

In the mobile universe apps that are offered in free and paid versions never cost more than $5.00 for the paid version; sometimes they are as cheap as $.99. Those who grouse about "not free" could easily fund such a rash expenditure by eliminating one visit to Starbucks.

My current policy: I try to evaluate apps online and look for friends who have them and are willing to let me play. In rare cases I may install a free version for a day or two to eval. Once it's clear I'll use an app then I pay to eliminate the advertising.

User Rank: Ninja
7/12/2012 | 3:30:05 PM
re: Free Android Apps Have Privacy Cost
I recently bought a second phone, because I was traveling to another country and my carrier does not offer international calling. I went with the Galaxy SII, it was a reasonable cost and I liked the features. As with any new phone after setting up the basics I began to fill up my applications with the apps that I liked or thought I could use on the trip. I now have pop ups in my notification bars an also I will find various app icons on my home pages that are spam. There is nothing worse than a company taking advantage of its own offers for free apps and it is a total turn off to the company and its future products. For me that am the quickest way to turn me off to your app, by supplying me with a bunch of junk that I do not need or want and furthermore do not need! I do not know anyone who like or appreciates aggressive advertising practices!

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.