The privacy problems with mobile apps continue. In recent weeks, we learned that apps on mobile devices were uploading users’ entire address books without permission and allowing companies access to users’ photos without permission. Congress is investigating. Now, Ars Technica reports on privacy and security problems that affect Google Android’s security:
A team of researchers at North Carolina State University have found that many of the libraries used in free Android applications to display in-application advertisements also pose a threat to privacy, and can be used by attackers to get past Android security. In some cases, the software libraries used by these apps “go a step further by making use of an unsafe mechanism to directly fetch and run code from the Internet, which immediately leads to serious security risks,” the researchers wrote in a paper to be presented at the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks in Tucson on April 17th.
A team led by NC State assistant professor of computer science Dr. Xuxian Jiang examined 100,000 apps from Google Play (formerly known as the Android Market). They found that nearly half of them had libraries that track a user’s GPS location—and one in 23 allowed that data to be passed back to the advertiser. In some cases, the NC State team found that libraries also could access a user’s call logs, the user’s phone number, and a list of other apps on the phone.
In this paper, we focus on potential privacy and security risks posed by these embedded or in-app advertisement libraries (henceforth “ad libraries,” for brevity). To this end, we study the popular Android platform and collect 100,000 apps from the official Android Market in March-May, 2011. […]
Our results show that most existing ad libraries collect private information: some of them may be used for legitimate targeting purposes (i.e., the user’s location) while others are hard to justify by invasively collecting the information such as the user’s call logs, phone number, browser bookmarks, or even the list of installed apps on the phone. Moreover, additional ones go a step further by making use of an unsafe mechanism to directly fetch and run code from the Internet, which immediately leads to serious security risks. Our investigation indicates the symbiotic relationship between embedded ad libraries and host apps is one main reason behind these exposed risks. These results clearly show the need for better regulating the way ad libraries are integrated in Android apps.