With each passing day it seems that smartphone app users are learning about new risks to their security and privacy. Among the most recent discoveries: potentially invasive mechanisms in a category of app software known as ad libraries – advertising-oriented software that is embedded in apps to collect information about users for ad-targeting purposes.
The finding is part of an analysis conducted from March through May of last year by computer science researchers at North Carolina State University who examined 100 ad libraries selected from 100,000 apps in Google’s (NASDAQ:GOOG) Android Market. (Android Market recently was folded into the company’s Google Play app store.) The researchers said the 100 ad libraries, most of which were designed to collect private information, were embedded in 52% of the selected apps.
Some of the ad libraries collected information merely for ad targeting. Some collected call logs, phone numbers, browser bookmarks and, in some cases, lists of apps installed on the phone. Still others included what the researchers described as unsafe mechanisms that enable the software to download and run code from remote servers. “In fact,” the researchers warn, “we have confirmed one particular case that fetches and loads suspicious payloads.”
The apps are removed, but concerns linger
The researchers said they notified Google about the affected apps and that all had been removed from the Android market. Nonetheless, researchers said the results of their analysis suggest the need for additional mechanisms to monitor the functions of ad libraries on Android.
Because many of the apps are free to download, developers embed them with ad libraries so they can be compensated for their work. The university’s researchers said that when such an app is in use, the ad library contacts the ad network’s servers to request ads for display. In the process the ad library might also send analytical information about users of the app back to the network, which then pays the developer based on a metric that measures the exposure each individual app gives the network and its advertisers.
The report points out that the private information obtained can be used to deduce the true identity of the user and enable more comprehensive tracking of the user’s habits. “One particular popular ad library (used in 4,190 apps in the researchers’ dataset) even allows a variety of personal information to be directly accessible to the advertisers, creating unnecessary additional opportunities for misuse,” the report said.
PC Magazine points out that the study found that Android’s permissions model can’t distinguish between actions performed by an ad library and those performed by its hosting app. As a result, “the current Android system provides little indication of the existence of these threats within any given app. Researchers say that ‘necessitates a change in the way existing ad libraries can be integrated into host apps.’”
App privacy has been a hot topic in recent months amid discoveries that some apps were designed to download address book data from Apple’s (NASDAQ:AAPL) iPhone without user authorization, and could copy and store the photo libraries of Android smartphone users without their permission. The discoveries, along with a report by The Wall Street Journal that Google employed workaround code to track users of Apple’s Safari Web browser, have sparked an investigation of Google by the Federal Trade Commission and a class action lawsuit against 18 firms, including Apple, LinkedIn (NYSE:LNKD), Yelp (NYSE:YELP) and Facebook.
PC Magazine also notes that last month the FTC said that developers of apps designed for children have fallen short of the agency’s expectations for privacy disclosures.