Risk
7/12/2012
09:34 AM
50%
50%

Free Android Apps Have Privacy Cost

More than half of free Android apps use advertising networks and exchanges. Most are legit, but about 5% interface with 'aggressive' networks that could threaten your privacy.

Can you ever get something for free? When it comes to smartphone apps, don't bet on it.

Most smartphone applications that are provided "for free"--both for iOS and Android--want something in return, and the tradeoff often comes at the expense of users' privacy. According to mobile security firm Lookout, for example, more than half of free Android apps use advertising networks and exchanges.

While most people will choose to trade advertising for access to a free app, Lookout warned that over 5% of free Android apps interface with at least one "aggressive" ad network that exhibits behavior that borders on malicious. By Lookout's count, free Android apps that interface with aggressive advertising networks have been downloaded by consumers at least 80 million times.

[ Google recently removed from Google Play malware disguised as two popular games. Read more at More Android Malware Pulled From Google Play. ]

"The presence of aggressive ad networks in mobile apps is one of the most prevalent mobile privacy issues today," said Lookout CTO Kevin Mahaffey via email. As examples of aggressive techniques, he pointed to push advertising being delivered via notification bars in devices, advertising programs that create their own desktop icons or shortcuts, and programs that modify browser bookmarks or change the default mobile browser homepage to an advertiser-selected site.

Mahaffey's warning was issued on the eve of the National Telecommunications and Information Administration, which is part of the Department of Commerce, convening a mobile privacy stakeholder meeting, scheduled for Thursday in Washington.

Springboarding off the White House's Consumer Privacy Bill of Rights, proposed earlier this year, the meeting's principle objective--according to the official overview--is to begin discussions about the best way to design "a code of conduct to provide transparency in how companies providing applications and interactive services for mobile devices handle personal data."

According to the NTIA, "a code of conduct might address how best to convey data practices to consumers who download mobile apps and use interactive mobile services." As seems to so often be the case when it comes to protecting consumer privacy online, however, the federal government is already lagging moves by various states.

In the case of mobile apps, California in particular has been leading the privacy charge. To date, the state has gained assurances from the six technology companies with the largest mobile app market platforms--Amazon, Apple, Google, HP, Microsoft, and Research In Motion, as well as Facebook, that they will require app developers to clearly detail to consumers exactly which data they're collecting, and for what purpose. All app developers will have to include that information in their applications' privacy policies. As a result, California's program stands to improve transparency not just for the state's residents, but all U.S. consumers.

Of course, not all advertising networks would be covered--or necessarily named--via California's code of conduct. So how might a federal-level code of conduct improve matters? One of the principle mobile-advertising-related privacy concerns, according to Lookout, is simply the opaque way in which so much mobile data is currently collected and shared by advertisers. "The mobile advertising ecosystem consists of complex relationships between ad providers, app publishers, and end users. Due to this complexity, it's often difficult for consumers to grasp the degree to which their information has been collected and shared," read a recently released report from Lookout, "Mobile App Advertising Guidelines." As the title suggests, the report contains Lookout's recommendations for rules that all mobile app developers should follow, unless they want their software labeled as "adware" and blocked by security products.

Furthermore, unless advertisers come clean about what information is being collected and shared, they should expect to be regulated, warned Lookout. "Industry regulation, which increasingly becomes a possibility as new, aggressive forms of ad delivery and information collection are explored, is something that can be avoided only with full information disclosure to end users," said the report.

Besides the aggressive advertising practices noted above, "many ad providers are deploying new types of functionality linked to ad touch actions, including triggering of outgoing phone calls, text messages, or creation of calendar events," according to the report. In other words, the mobile advertising ecosystem might evolve in ways that aren't beneficial to consumers. "Given the pace at which the mobile ecosystem is moving, it's important that standards are developed to ensure that private user data is accessed and managed appropriately, and that controversial behavior is properly highlighted," the report stated.

Mobile app advertising standards would apply not just to advertisers, but also developers, which could add some security rigor to current development practices. Even when smartphone app developers' intentions appear to be trustworthy, their software can handle users' personal information in insecure ways, thus exposing the data to the threat of interception. Earlier this year, for example, iOS apps Path and Hipster were found to be leaking contact data. While researchers didn't suggest that either application development firm was grabbing people's contact information for nefarious purposes, the wholesale transmission of people's address books in unencrypted format certainly did nothing to protect the privacy of users' data.

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Guest.
50%
50%
Guest.,
User Rank: Apprentice
7/14/2012 | 3:49:22 AM
re: Free Android Apps Have Privacy Cost
> warned that over 5% of free Android apps interface with at least one "aggressive" ad network t

Wow. A whopping 5%. That's far from a major problem.
Guest.
50%
50%
Guest.,
User Rank: Apprentice
7/14/2012 | 3:48:14 AM
re: Free Android Apps Have Privacy Cost
The OS needs a fix: If I see *ANYTHING* in my notification-bar that is spam... 1 long-click... uninstalls the app that made it.

Done.

Also, I have *NEVER* seen any apps that make random shortcuts, or change my browser bookmarks. The OS could easily prevent that. Only allowing the app that made the data... to change the data.

ANON1237925156805
50%
50%
ANON1237925156805,
User Rank: Apprentice
7/13/2012 | 7:35:07 PM
re: Free Android Apps Have Privacy Cost
These initiatives are a good idea, but who knows what impact they will have and when? In the meantime, consumers should make wise choices.

I learned my lesson about free apps with ads from supposedly reliable vendors years ago when I opted for free Grokster on my PC to save $29.95. That price differential sure made free seem like a reasonable choice and Grokster was getting all kinds of favorable press. A week later I detected that my PC had been conscripted into a spybot army. Ouch!

In the mobile universe apps that are offered in free and paid versions never cost more than $5.00 for the paid version; sometimes they are as cheap as $.99. Those who grouse about "not free" could easily fund such a rash expenditure by eliminating one visit to Starbucks.

My current policy: I try to evaluate apps online and look for friends who have them and are willing to let me play. In rare cases I may install a free version for a day or two to eval. Once it's clear I'll use an app then I pay to eliminate the advertising.

PJS880
50%
50%
PJS880,
User Rank: Ninja
7/12/2012 | 3:30:05 PM
re: Free Android Apps Have Privacy Cost
I recently bought a second phone, because I was traveling to another country and my carrier does not offer international calling. I went with the Galaxy SII, it was a reasonable cost and I liked the features. As with any new phone after setting up the basics I began to fill up my applications with the apps that I liked or thought I could use on the trip. I now have pop ups in my notification bars an also I will find various app icons on my home pages that are spam. There is nothing worse than a company taking advantage of its own offers for free apps and it is a total turn off to the company and its future products. For me that am the quickest way to turn me off to your app, by supplying me with a bunch of junk that I do not need or want and furthermore do not need! I do not know anyone who like or appreciates aggressive advertising practices!

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.