How ads undermine Android security

How ads undermine Android security

Summary: Are you giving the app permission .. or the ad module? Or both?

SHARE:

A lot of Android developers are now offering their applications for free, choosing instead to monetize them using in-app advertising. But in-app advertising can also leave the end user vulnerable to malware and data leakage.

The problem is that when users install and Android app, they are asked to grant the app certain permissions. However, the problem is that users are not only granting permissions to the app, but also to any ad modules that the app might be shipped with. The way Android displays permissions doesn't make this clear.

Image credit: F-Secure

Think that this can't happen? It can. Here's an example from F-Secure of an Android app that was itself clean, but the ad module it contained harvested phone model details, Android version, phone numbers and IMEI numbers and sent them to a remote server.

What's the solution? Well, the good folks at F-Secure have an idea.

Wouldn't it be clearer to the user if the Permissions tab indicated how the permissions were used by both the main app and the ad module? Or better still, there was a separate permissions tab for the ad module? This would give the user with a clearer idea of what the main app/ad module will do, and they would be in a better position to chose whether they want to proceed with the installation.

Makes sense. Android is under pressure from the bad guys, from Trojanized apps in the official Google Market to vulnerabilities in the bloatware that OEMs pack onto handsets, there are real security issues facing Android users. It's getting so bad that Microsoft kicked off a marketing campaign for Windows Phone based on user frustration with the Android platform, calling it 'Droidrage.' Problem is,so far Google hasn't seemed to want to tackle these thorny issues.

One thing's for sure ... as the popularity of Android grows, something has to change.

Related:

Topic: Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • RE: How ads undermine Android security

    Hey, just root the phone. That seems to be the answer to everything.
    dhmccoy
    • RE: How ads undermine Android security

      @dhmccoy
      most companies wont allow the use of rooted phones on their network.
      tiderulz
      • RE: How ads undermine Android security

        @tiderulz
        The devil you say!
        dhmccoy
    • RE: How ads undermine Android security

      @dhmccoy The only with rooting is that I think it may be analogous to logging onto your PC as Administrator. Does this make your phone more secure or less?
      I don't know the OS well enough to answer that question myself.
      WKCook
      WKCook
      • RE: How ads undermine Android security

        @WKCook: Not really, because the Superuser app is a bit like UAC. All apps don't get root.
        Natanael_L
      • Rooting

        @WKCook
        That's a great idea - IF - you know what you are doing. I only know enough to get myself in trouble so - no thank you!
        use_what_works_4_U
    • Right. Because heading out to some internet site to download a

      hacked ROM from an unknown source is the epitome of secure computing.
      baggins_z
      • RE: How ads undermine Android security

        @baggins_z: Cyanogenmod?
        Natanael_L
      • He's right you know

        @Natanael_L
        If Google (who are counting on the customer trusting them) can't be trusted to prevent this sort of thing, what would make me think that the people behind Cyanogenmod would be any better? At least if harm is done I can sue Google for recompense. Who would I go to in the "open source community" if there's a problem?

        Linux on my PC is one thing. On my phone is another (bag of unknown) that I'm not comfortable with.
        use_what_works_4_U
      • RE: How ads undermine Android security

        @macadam

        But... I thought Android was perfect and anyone who didn't think so or didn't want to root their device was just stupid and a minority... That what Linux_Geek, et al told me...

        (If you don't get sarcasm, ignore this post.)
        eak2000
      • RE: How ads undermine Android security

        @baggins_z So don't use hacked ROM from unknown sources!
        Instead, use proven ROMs from known sources!
        Complicated or what?
        Sheesh!
        radleym
  • RE: How ads undermine Android security

    Don't forget the content! I had a similar experience. The app in question drained my battery fast and the ads were terrible. I would definitely not want my grandchildren watching when one of them popped up. I would have a lot of explaining to do! I had to restart the phone to close the app before I could uninstall. They should warn that adult content could be included.

    WKCook
    WKCook
    • RE: How ads undermine Android security

      @WKCook
      How about telling us the name of the app so we can avoid it?
      lcplwilson
      • RE: How ads undermine Android security

        @lcplwilson@...
        I am hesitant only because there seem to be many apps that have the same name.
        This was Word Solver Lite. It had 4.5 stars and the majority of reviews were good. When opened it stayed resident in the bar at the top of the screen. You had to use the programs menu to exit and that did not always work. But the ads were the most disturbing (I???m an old fogy so not everyone may agree). There were a few regular ads but most were of the social networking variety...And most of those involved scantily dressed women offering to chat, etc. It is easy to accidentally click/touch as I once did. I was immediately offered a chat session with someone in my home town that wanted to meet me. Just didn???t seem right so I uninstalled.
        What good is the market and reviews if you can???t trust what you read?
        Anyway, I???ll get off my soapbox. You can always go read about the app on the Market w/o installing.
        WKCook
        WKCook
    • RE: How ads undermine Android security

      @WKCook ...Hope you were able to write a review of the app stating as such before you uninstalled it. Seems like the information you have would be useful for those that don't want to see that kind of ad content.
      1019902735
  • Google needs to curate apps and ads in the Android Market

    Most users don't pay any mind to the app permissions. Why would they pay any mind to ad permissions?<br><br>Google needs to find a way to keep malicious apps and ads out of the Android Market.
    Rabid Howler Monkey
    • But then

      @Rabid Howler Monkey
      ...what would be the difference between a "nanny Google" and the "nanny Apple" that so many hate precisely because they wield so much control?

      Personally I don't have a problem with it, but the question does arise ...
      use_what_works_4_U
      • RE: How ads undermine Android security

        @macadam

        Because anything Google (or the Open Source community) does is good and anything Microsoft, Oracle or the Big Bad Apple do is bad. Duh.
        eak2000
      • RE: How ads undermine Android security

        @eak2000
        +1
        use_what_works_4_U
  • Developers and In-App Advertising

    Developers should know their components. If you are not aware of the in-app advertising company, don't react if the third party has an issue it's just as much the developers fault. I do like the thought of permission seperation but think that there should be a warning to include something such as "warning: adult content" if your ad provider approves such ads and you don't care to filter them. Developers who chose such companies to work with are as much at fault as the ad companies that allow malicious code into their ad apps. F-Secure sounds like they are on the right track, now we have to support the idea and work with ad companies that will too.
    tazspaz