Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Free Android Apps Have Privacy Cost

More than half of free Android apps use advertising networks and exchanges. Most are legit, but about 5% interface with 'aggressive' networks that could threaten your privacy.

Can you ever get something for free? When it comes to smartphone apps, don't bet on it.

Most smartphone applications that are provided "for free"--both for iOS and Android--want something in return, and the tradeoff often comes at the expense of users' privacy. According to mobile security firm Lookout, for example, more than half of free Android apps use advertising networks and exchanges.

While most people will choose to trade advertising for access to a free app, Lookout warned that over 5% of free Android apps interface with at least one "aggressive" ad network that exhibits behavior that borders on malicious. By Lookout's count, free Android apps that interface with aggressive advertising networks have been downloaded by consumers at least 80 million times.

[ Google recently removed from Google Play malware disguised as two popular games. Read more at More Android Malware Pulled From Google Play. ]

"The presence of aggressive ad networks in mobile apps is one of the most prevalent mobile privacy issues today," said Lookout CTO Kevin Mahaffey via email. As examples of aggressive techniques, he pointed to push advertising being delivered via notification bars in devices, advertising programs that create their own desktop icons or shortcuts, and programs that modify browser bookmarks or change the default mobile browser homepage to an advertiser-selected site.

Mahaffey's warning was issued on the eve of the National Telecommunications and Information Administration, which is part of the Department of Commerce, convening a mobile privacy stakeholder meeting, scheduled for Thursday in Washington.

Springboarding off the White House's Consumer Privacy Bill of Rights, proposed earlier this year, the meeting's principle objective--according to the official overview--is to begin discussions about the best way to design "a code of conduct to provide transparency in how companies providing applications and interactive services for mobile devices handle personal data."

According to the NTIA, "a code of conduct might address how best to convey data practices to consumers who download mobile apps and use interactive mobile services." As seems to so often be the case when it comes to protecting consumer privacy online, however, the federal government is already lagging moves by various states.

In the case of mobile apps, California in particular has been leading the privacy charge. To date, the state has gained assurances from the six technology companies with the largest mobile app market platforms--Amazon, Apple, Google, HP, Microsoft, and Research In Motion, as well as Facebook, that they will require app developers to clearly detail to consumers exactly which data they're collecting, and for what purpose. All app developers will have to include that information in their applications' privacy policies. As a result, California's program stands to improve transparency not just for the state's residents, but all U.S. consumers.

Of course, not all advertising networks would be covered--or necessarily named--via California's code of conduct. So how might a federal-level code of conduct improve matters? One of the principle mobile-advertising-related privacy concerns, according to Lookout, is simply the opaque way in which so much mobile data is currently collected and shared by advertisers. "The mobile advertising ecosystem consists of complex relationships between ad providers, app publishers, and end users. Due to this complexity, it's often difficult for consumers to grasp the degree to which their information has been collected and shared," read a recently released report from Lookout, "Mobile App Advertising Guidelines." As the title suggests, the report contains Lookout's recommendations for rules that all mobile app developers should follow, unless they want their software labeled as "adware" and blocked by security products.

Furthermore, unless advertisers come clean about what information is being collected and shared, they should expect to be regulated, warned Lookout. "Industry regulation, which increasingly becomes a possibility as new, aggressive forms of ad delivery and information collection are explored, is something that can be avoided only with full information disclosure to end users," said the report.

Besides the aggressive advertising practices noted above, "many ad providers are deploying new types of functionality linked to ad touch actions, including triggering of outgoing phone calls, text messages, or creation of calendar events," according to the report. In other words, the mobile advertising ecosystem might evolve in ways that aren't beneficial to consumers. "Given the pace at which the mobile ecosystem is moving, it's important that standards are developed to ensure that private user data is accessed and managed appropriately, and that controversial behavior is properly highlighted," the report stated.

Mobile app advertising standards would apply not just to advertisers, but also developers, which could add some security rigor to current development practices. Even when smartphone app developers' intentions appear to be trustworthy, their software can handle users' personal information in insecure ways, thus exposing the data to the threat of interception. Earlier this year, for example, iOS apps Path and Hipster were found to be leaking contact data. While researchers didn't suggest that either application development firm was grabbing people's contact information for nefarious purposes, the wholesale transmission of people's address books in unencrypted format certainly did nothing to protect the privacy of users' data.

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/14/2012 | 3:49:22 AM
re: Free Android Apps Have Privacy Cost
> warned that over 5% of free Android apps interface with at least one "aggressive" ad network t

Wow. A whopping 5%. That's far from a major problem.
User Rank: Apprentice
7/14/2012 | 3:48:14 AM
re: Free Android Apps Have Privacy Cost
The OS needs a fix: If I see *ANYTHING* in my notification-bar that is spam... 1 long-click... uninstalls the app that made it.


Also, I have *NEVER* seen any apps that make random shortcuts, or change my browser bookmarks. The OS could easily prevent that. Only allowing the app that made the data... to change the data.

User Rank: Apprentice
7/13/2012 | 7:35:07 PM
re: Free Android Apps Have Privacy Cost
These initiatives are a good idea, but who knows what impact they will have and when? In the meantime, consumers should make wise choices.

I learned my lesson about free apps with ads from supposedly reliable vendors years ago when I opted for free Grokster on my PC to save $29.95. That price differential sure made free seem like a reasonable choice and Grokster was getting all kinds of favorable press. A week later I detected that my PC had been conscripted into a spybot army. Ouch!

In the mobile universe apps that are offered in free and paid versions never cost more than $5.00 for the paid version; sometimes they are as cheap as $.99. Those who grouse about "not free" could easily fund such a rash expenditure by eliminating one visit to Starbucks.

My current policy: I try to evaluate apps online and look for friends who have them and are willing to let me play. In rare cases I may install a free version for a day or two to eval. Once it's clear I'll use an app then I pay to eliminate the advertising.

User Rank: Ninja
7/12/2012 | 3:30:05 PM
re: Free Android Apps Have Privacy Cost
I recently bought a second phone, because I was traveling to another country and my carrier does not offer international calling. I went with the Galaxy SII, it was a reasonable cost and I liked the features. As with any new phone after setting up the basics I began to fill up my applications with the apps that I liked or thought I could use on the trip. I now have pop ups in my notification bars an also I will find various app icons on my home pages that are spam. There is nothing worse than a company taking advantage of its own offers for free apps and it is a total turn off to the company and its future products. For me that am the quickest way to turn me off to your app, by supplying me with a bunch of junk that I do not need or want and furthermore do not need! I do not know anyone who like or appreciates aggressive advertising practices!

Paul Sprague
InformationWeek Contributor
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...