Android apps pose privacy risks, say researchers

Advertisers are being granted access to personal information through adverts served in Android apps, creating privacy risks, according to researchers from North Carolina State University.Companies such as MobClix, a third party ad-exchange company, gain access to personal information through user permissions, the North Carolina (NC) academics found, echoing earlier research findings.

Advertisers are being granted access to personal information through adverts served in Android apps, creating privacy risks, according to researchers from North Carolina State University.

Companies such as MobClix, a third party ad-exchange company, gain access to personal information through user permissions, the North Carolina (NC) academics found, echoing earlier research findings.

"The main concern is that ad libraries are launched in the context of host applications," NC researcher Xuxian Jiang told ZDNet UK on Tuesday.

MobClix gains access to information including calendaring, contacts and call logs. Google AdMob gains access to location data, according to a paper by the researchers (PDF).

The issue hinges around permissions gained from the user, said Jiang. In-app ad libraries get the same permissions as granted to the app by the user.

"Ad libraries gaining primary permissions may leak personal information to others, and upload information out of the control of the user," said Jiang. "Malware is another threat — many approved ad libraries use unsafe mechanisms to download ads."

Downloading any untested code can create security problems, Jiang said in a statement on Monday.

The NC researchers studied over 100,000 apps in the official Google Play market. More than half contained ad libraries, and 297 of the apps included "aggressive ad libraries that were enabled to download and run code from remote servers," NC said in the statement.

Companies including Google and Apple should provide the impetus for a more fine-grained approach to user permissions in apps, Jiang told ZDNet UK.

Research published in March and undertaken on behalf of Channel 4 News found that third parties, including MobClix, were being granted the same permissions as host apps.

MobClix answered the March research with a blog post on 6 March saying it only captured information after opt-in from the user.

"Mobclix has never captured information about users' contacts, calendars and location without expressed permission from users," said the post.