A new study by a group of researchers from the Department of Computer Science at the North Carolina State University has discovered that more than half of the ad libraries used by Android developers pose security risks and raise privacy concerns because of  the questionable types of data they collect.

The team studied 100,000 apps from Google Play and identified 100 different 3rd party in-app ad libraries commonly used by Android app developers. Further research into the ad libraries themselves showed that many contained inherent privacy and security risks ranging from uploading private information to remote servers to executing untrusted code downloaded directly from the Internet.

Most ad libraries collect a selection of data from a user’s phone to help create targeted adverts, however, the North Carolinian team found that many libraries collect far too much data, including records of the the user’s call logs, the device’s phone number, the browser bookmarks, and even the list of apps installed on the phone.

On top of this, it was also discovered that some libraries make use of insecure mechanisms to directly download and run code from the Internet, without any system to verify the validity of the downloaded code or its authenticity. Such systems are an inherent security risk.

“Our investigation indicates the symbiotic relationship between embedded ad libraries and host apps is one main reason behind these exposed risks. These results clearly show the need for better regulating the way ad libraries are integrated in Android apps,” wrote Michael Grace in the report.

Other than using the GPS to determine the users’ location (and hence target users with location based adverts), the team found that some libraries performed more insidious actions:

  • The Sosceo ad library collects the user’s call history and transmits some of it to the Internet.
  • A large number of ad libraries use an Android API call that retrieves the user’s phone number
  • The Mobus ad library reads through the user’s SMS messages to determine which text-messaging service center they use
  • Some ad libraries (including waps) upload a list of all the installed apps on the phone

Untamed Javacript running inside ads

Mobclix, one of the most popular ad libraries, tries to offer an advantage over it competitors by giving advertisers access to most of the sensors and data on a phone via Javascript calls. To be fair to Mobclix, most of these calls are implemented in such a way that user confirmation is requested when an ad tries to access sensitive information. However, some functions have slipped through the net. For example, one GPS function allows the ad to define a callback that is run whenever a user moves more than a short distance from their previous position. The user is never asked for their consent or notified about this behavior.

Random downloads to your phone

Five of the 100 identified libraries contain functionality that downloads and runs code from the Internet. Such behavior opens up the possibility for unscrupulous third parties to offer malicious code, which is innocently downloaded by the Android app and run on the device. In one instance, the team discovered an ad library embedded in several apps which downloaded a .jar file containing code to listen to remote commands and turn the host app into a bot. The team actually reported these discoveries to Google, which quickly removed seven incriminated apps from Google Play.

More needed from Google

App developers should stick with well-known and trusted ad companies and Google should offer a certification scheme to approve ad libraries. Once a library is embedded into an app, even the most honest developer leaves their app open to the actions of the ad network.

Gary Sims
Gary has been a tech writer for over a decade. Prior to that, he had over 10 years of experience as a software engineer.