Can you ever get something for free? When it comes to smartphone apps, don't bet on it.

Most smartphone applications that are provided "for free"--both for iOS and Android--want something in return, and the tradeoff often comes at the expense of users' privacy. According to mobile security firm Lookout, for example, more than half of free Android apps use advertising networks and exchanges.

While most people will choose to trade advertising for access to a free app, Lookout warned that over 5% of free Android apps interface with at least one "aggressive" ad network that exhibits behavior that borders on malicious. By Lookout's count, free Android apps that interface with aggressive advertising networks have been downloaded by consumers at least 80 million times.

[ Google recently removed from Google Play malware disguised as two popular games. Read more at More Android Malware Pulled From Google Play. ]

"The presence of aggressive ad networks in mobile apps is one of the most prevalent mobile privacy issues today," said Lookout CTO Kevin Mahaffey via email. As examples of aggressive techniques, he pointed to push advertising being delivered via notification bars in devices, advertising programs that create their own desktop icons or shortcuts, and programs that modify browser bookmarks or change the default mobile browser homepage to an advertiser-selected site.

Mahaffey's warning was issued on the eve of the National Telecommunications and Information Administration, which is part of the Department of Commerce, convening a mobile privacy stakeholder meeting, scheduled for Thursday in Washington.

Springboarding off the White House's Consumer Privacy Bill of Rights, proposed earlier this year, the meeting's principle objective--according to the official overview--is to begin discussions about the best way to design "a code of conduct to provide transparency in how companies providing applications and interactive services for mobile devices handle personal data."

According to the NTIA, "a code of conduct might address how best to convey data practices to consumers who download mobile apps and use interactive mobile services." As seems to so often be the case when it comes to protecting consumer privacy online, however, the federal government is already lagging moves by various states.

In the case of mobile apps, California in particular has been leading the privacy charge. To date, the state has gained assurances from the six technology companies with the largest mobile app market platforms--Amazon, Apple, Google, HP, Microsoft, and Research In Motion, as well as Facebook, that they will require app developers to clearly detail to consumers exactly which data they're collecting, and for what purpose. All app developers will have to include that information in their applications' privacy policies. As a result, California's program stands to improve transparency not just for the state's residents, but all U.S. consumers.

Of course, not all advertising networks would be covered--or necessarily named--via California's code of conduct. So how might a federal-level code of conduct improve matters? One of the principle mobile-advertising-related privacy concerns, according to Lookout, is simply the opaque way in which so much mobile data is currently collected and shared by advertisers. "The mobile advertising ecosystem consists of complex relationships between ad providers, app publishers, and end users. Due to this complexity, it's often difficult for consumers to grasp the degree to which their information has been collected and shared," read a recently released report from Lookout, "Mobile App Advertising Guidelines." As the title suggests, the report contains Lookout's recommendations for rules that all mobile app developers should follow, unless they want their software labeled as "adware" and blocked by security products.

Furthermore, unless advertisers come clean about what information is being collected and shared, they should expect to be regulated, warned Lookout. "Industry regulation, which increasingly becomes a possibility as new, aggressive forms of ad delivery and information collection are explored, is something that can be avoided only with full information disclosure to end users," said the report.

Besides the aggressive advertising practices noted above, "many ad providers are deploying new types of functionality linked to ad touch actions, including triggering of outgoing phone calls, text messages, or creation of calendar events," according to the report. In other words, the mobile advertising ecosystem might evolve in ways that aren't beneficial to consumers. "Given the pace at which the mobile ecosystem is moving, it's important that standards are developed to ensure that private user data is accessed and managed appropriately, and that controversial behavior is properly highlighted," the report stated.

Mobile app advertising standards would apply not just to advertisers, but also developers, which could add some security rigor to current development practices. Even when smartphone app developers' intentions appear to be trustworthy, their software can handle users' personal information in insecure ways, thus exposing the data to the threat of interception. Earlier this year, for example, iOS apps Path and Hipster were found to be leaking contact data. While researchers didn't suggest that either application development firm was grabbing people's contact information for nefarious purposes, the wholesale transmission of people's address books in unencrypted format certainly did nothing to protect the privacy of users' data.

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)