Security researchers are warning that the ad libraries employed by many mobile applications may be putting sensitive data at risk of exposure due to the extensive and often unnecessary access permissions that are required for their use.
“With so many applications requesting access to private or sensitive information, it’s often difficult for users, let alone IT administrators, to fully understand who’s accessing their data, where it’s being sent, and how it will be used,” the researchers said.
Some of the most significant risk factors affecting corporate employees and individual mobile users, such as data loss and PII collection, occur not by the application itself, but within mobile advertising libraries and other library components such as social media or analytic tools.
“These libraries are large packages of code written by a third party, which the developer includes in their mobile app to help them add standard functionality. In this case the developer may use the libraries to collect ad revenues, track user statistics, or integrate with social media APIs,” the researchers explained.
“There are thousands of such libraries available to mobile app developers, each with varying reputations, and developers will often include their code with little or no review. Although many of these libraries refrain from collecting PII and have sensible privacy policies, not all libraries are so reputable, and for most users it’s impossible to know which ad library is included in a particular app.”
The researchers analyzed over eleven million URLs that many popular applications connect to, breaking them down into several categories, including ad networks, social media, and analytics APIs, finding that:
- Business users connect to at least as many data gathering libraries as consumer users, and in some cases more, leaving enterprises at risk for sensitive data loss
- Some of the top ad libraries such as AdMob, AirPush and Flurry leak private information such as which mobile apps you have downloaded onto your phone, precise geo-location data including your zip code, your device ID number, web browsing history and more
- 65% of applications downloaded by business users connect to an ad network
- 40% of applications downloaded by business users connect to a social network API
- At least 78% of all applications downloaded by business users connect to either an ad network, social media API, or analytics API
“The bottom line is that you may trust the author of a particular app, but you may not even know the authors of the components (libraries) which are gathering the most information about you.” they continued. “In almost all cases, a user is bound by the library’s data policies simply by downloading and installing an app which includes it, without ever getting a chance to review the policy details.”
Read More Here…