Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Free Android Apps Have Privacy Cost

More than half of free Android apps use advertising networks and exchanges. Most are legit, but about 5% interface with 'aggressive' networks that could threaten your privacy.

Can you ever get something for free? When it comes to smartphone apps, don't bet on it.

Most smartphone applications that are provided "for free"--both for iOS and Android--want something in return, and the tradeoff often comes at the expense of users' privacy. According to mobile security firm Lookout, for example, more than half of free Android apps use advertising networks and exchanges.

While most people will choose to trade advertising for access to a free app, Lookout warned that over 5% of free Android apps interface with at least one "aggressive" ad network that exhibits behavior that borders on malicious. By Lookout's count, free Android apps that interface with aggressive advertising networks have been downloaded by consumers at least 80 million times.

[ Google recently removed from Google Play malware disguised as two popular games. Read more at More Android Malware Pulled From Google Play. ]

"The presence of aggressive ad networks in mobile apps is one of the most prevalent mobile privacy issues today," said Lookout CTO Kevin Mahaffey via email. As examples of aggressive techniques, he pointed to push advertising being delivered via notification bars in devices, advertising programs that create their own desktop icons or shortcuts, and programs that modify browser bookmarks or change the default mobile browser homepage to an advertiser-selected site.

Mahaffey's warning was issued on the eve of the National Telecommunications and Information Administration, which is part of the Department of Commerce, convening a mobile privacy stakeholder meeting, scheduled for Thursday in Washington.

Springboarding off the White House's Consumer Privacy Bill of Rights, proposed earlier this year, the meeting's principle objective--according to the official overview--is to begin discussions about the best way to design "a code of conduct to provide transparency in how companies providing applications and interactive services for mobile devices handle personal data."

According to the NTIA, "a code of conduct might address how best to convey data practices to consumers who download mobile apps and use interactive mobile services." As seems to so often be the case when it comes to protecting consumer privacy online, however, the federal government is already lagging moves by various states.

In the case of mobile apps, California in particular has been leading the privacy charge. To date, the state has gained assurances from the six technology companies with the largest mobile app market platforms--Amazon, Apple, Google, HP, Microsoft, and Research In Motion, as well as Facebook, that they will require app developers to clearly detail to consumers exactly which data they're collecting, and for what purpose. All app developers will have to include that information in their applications' privacy policies. As a result, California's program stands to improve transparency not just for the state's residents, but all U.S. consumers.

Of course, not all advertising networks would be covered--or necessarily named--via California's code of conduct. So how might a federal-level code of conduct improve matters? One of the principle mobile-advertising-related privacy concerns, according to Lookout, is simply the opaque way in which so much mobile data is currently collected and shared by advertisers. "The mobile advertising ecosystem consists of complex relationships between ad providers, app publishers, and end users. Due to this complexity, it's often difficult for consumers to grasp the degree to which their information has been collected and shared," read a recently released report from Lookout, "Mobile App Advertising Guidelines." As the title suggests, the report contains Lookout's recommendations for rules that all mobile app developers should follow, unless they want their software labeled as "adware" and blocked by security products.

Furthermore, unless advertisers come clean about what information is being collected and shared, they should expect to be regulated, warned Lookout. "Industry regulation, which increasingly becomes a possibility as new, aggressive forms of ad delivery and information collection are explored, is something that can be avoided only with full information disclosure to end users," said the report.

Besides the aggressive advertising practices noted above, "many ad providers are deploying new types of functionality linked to ad touch actions, including triggering of outgoing phone calls, text messages, or creation of calendar events," according to the report. In other words, the mobile advertising ecosystem might evolve in ways that aren't beneficial to consumers. "Given the pace at which the mobile ecosystem is moving, it's important that standards are developed to ensure that private user data is accessed and managed appropriately, and that controversial behavior is properly highlighted," the report stated.

Mobile app advertising standards would apply not just to advertisers, but also developers, which could add some security rigor to current development practices. Even when smartphone app developers' intentions appear to be trustworthy, their software can handle users' personal information in insecure ways, thus exposing the data to the threat of interception. Earlier this year, for example, iOS apps Path and Hipster were found to be leaking contact data. While researchers didn't suggest that either application development firm was grabbing people's contact information for nefarious purposes, the wholesale transmission of people's address books in unencrypted format certainly did nothing to protect the privacy of users' data.

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Guest.
50%
50%
Guest.,
User Rank: Apprentice
7/14/2012 | 3:49:22 AM
re: Free Android Apps Have Privacy Cost
> warned that over 5% of free Android apps interface with at least one "aggressive" ad network t

Wow. A whopping 5%. That's far from a major problem.
Guest.
50%
50%
Guest.,
User Rank: Apprentice
7/14/2012 | 3:48:14 AM
re: Free Android Apps Have Privacy Cost
The OS needs a fix: If I see *ANYTHING* in my notification-bar that is spam... 1 long-click... uninstalls the app that made it.

Done.

Also, I have *NEVER* seen any apps that make random shortcuts, or change my browser bookmarks. The OS could easily prevent that. Only allowing the app that made the data... to change the data.

ANON1237925156805
50%
50%
ANON1237925156805,
User Rank: Apprentice
7/13/2012 | 7:35:07 PM
re: Free Android Apps Have Privacy Cost
These initiatives are a good idea, but who knows what impact they will have and when? In the meantime, consumers should make wise choices.

I learned my lesson about free apps with ads from supposedly reliable vendors years ago when I opted for free Grokster on my PC to save $29.95. That price differential sure made free seem like a reasonable choice and Grokster was getting all kinds of favorable press. A week later I detected that my PC had been conscripted into a spybot army. Ouch!

In the mobile universe apps that are offered in free and paid versions never cost more than $5.00 for the paid version; sometimes they are as cheap as $.99. Those who grouse about "not free" could easily fund such a rash expenditure by eliminating one visit to Starbucks.

My current policy: I try to evaluate apps online and look for friends who have them and are willing to let me play. In rare cases I may install a free version for a day or two to eval. Once it's clear I'll use an app then I pay to eliminate the advertising.

PJS880
50%
50%
PJS880,
User Rank: Ninja
7/12/2012 | 3:30:05 PM
re: Free Android Apps Have Privacy Cost
I recently bought a second phone, because I was traveling to another country and my carrier does not offer international calling. I went with the Galaxy SII, it was a reasonable cost and I liked the features. As with any new phone after setting up the basics I began to fill up my applications with the apps that I liked or thought I could use on the trip. I now have pop ups in my notification bars an also I will find various app icons on my home pages that are spam. There is nothing worse than a company taking advantage of its own offers for free apps and it is a total turn off to the company and its future products. For me that am the quickest way to turn me off to your app, by supplying me with a bunch of junk that I do not need or want and furthermore do not need! I do not know anyone who like or appreciates aggressive advertising practices!

Paul Sprague
InformationWeek Contributor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15596
PUBLISHED: 2020-08-12
The ALPS ALPINE touchpad driver before 8.2206.1717.634, as used on various Dell, HP, and Lenovo laptops, allows attackers to conduct Path Disclosure attacks via a "fake" DLL file.
CVE-2020-15868
PUBLISHED: 2020-08-12
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
CVE-2020-17362
PUBLISHED: 2020-08-12
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
CVE-2020-17449
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS via the error_log file.
CVE-2020-17450
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS on the preview page.