A lot of Android developers are now offering their applications for free, choosing instead to monetize them using in-app advertising. But in-app advertising can also leave the end user vulnerable to malware and data leakage.
The problem is that when users install and Android app, they are asked to grant the app certain permissions. However, the problem is that users are not only granting permissions to the app, but also to any ad modules that the app might be shipped with. The way Android displays permissions doesn't make this clear.
Think that this can't happen? It can. Here's an example from F-Secure of an Android app that was itself clean, but the ad module it contained harvested phone model details, Android version, phone numbers and IMEI numbers and sent them to a remote server.
Wouldn't it be clearer to the user if the Permissions tab indicated how the permissions were used by both the main app and the ad module? Or better still, there was a separate permissions tab for the ad module? This would give the user with a clearer idea of what the main app/ad module will do, and they would be in a better position to chose whether they want to proceed with the installation.