A group of researchers from the Department of Computer Science at North Carolina State University have conducted a research and they discovered that more than half of the ad libraries present in the android app pose a serious security risk to the users.
This raises privacy issues because of the type of data these ad libraries collect about the user. The team for the purpose of their research studied almost 100,000 apps from the Google Play and has identified at least 100 different 3rd party in-app ads libraries that raise a security concern.
They discovered that the security risks range from uploading private information about the users to remote servers to executing malicious codes in the device that can harm the user.
More over some of these ad libraries are able to download the codes necessary from the internet to fulfill their purpose. Most of the ad-libraries that are sponsored by different companies have claimed that they collect information which is then able to direct the users to ads of their interest.
But according to the researchers this isn’t the case because they noticed that the ad-libraries are collecting way more information than is required. The information ranges from users call logs, device phone number, browser bookmarks and also the list of apps that are installed on your phone.
The ad-libraries can use the GPS in your phone to show you the area specific ads but other than that intended function the researchers have found some other suspicious actions from some of the ad-libraries as follows:
- Sosceo ad-library collects users call history and transmits it to the internet.
- Large number of ad libraries uses an Android API call that retrieves the users phone number
- Mobus ad library reads through the users text message to determine the text message service center
- Ad libraries such waps upload a list of all the apps that are installed on your phone.
Mobclix have assured us that the ad library will only gain access to your sensitive user by your permission but they have failed to mention one other function which slips by the permission rule.
One such function is the GPS which will allow the ad to define a callback that is run whenever the user moves a short distance from their previous position. The user is never notified about this action.
The research team also discovered certain ad libraries that allow the download of malicious codes directly to your phone from the internet and which show up as an android app. If you launch the app it starts behaving like a bot which then downloads several other apps and makes note of the behavior of your phone.
The team after discovering such codes has reported to Google and immediately Google removed the seven incriminating apps from Google Play.
App developers should use well known ad delivering companies who have been certified by Google. In this way the various security risks can be minimized and risk to the user minimized.
If you let us know any such security threats that are present on the android phone do let us know.