How ads undermine Android security

Are you giving the app permission .. or the ad module? Or both?
Written by Adrian Kingsley-Hughes, Senior Contributing Editor
A lot of Android developers are now offering their applications for free, choosing instead to monetize them using in-app advertising. But in-app advertising can also leave the end user vulnerable to malware and data leakage.

The problem is that when users install and Android app, they are asked to grant the app certain permissions. However, the problem is that users are not only granting permissions to the app, but also to any ad modules that the app might be shipped with. The way Android displays permissions doesn't make this clear.

Image credit: F-Secure

Think that this can't happen? It can. Here's an example from F-Secure of an Android app that was itself clean, but the ad module it contained harvested phone model details, Android version, phone numbers and IMEI numbers and sent them to a remote server.

What's the solution? Well, the good folks at F-Secure have an idea.

Wouldn't it be clearer to the user if the Permissions tab indicated how the permissions were used by both the main app and the ad module? Or better still, there was a separate permissions tab for the ad module? This would give the user with a clearer idea of what the main app/ad module will do, and they would be in a better position to chose whether they want to proceed with the installation.

Makes sense. Android is under pressure from the bad guys, from Trojanized apps in the official Google Market to vulnerabilities in the bloatware that OEMs pack onto handsets, there are real security issues facing Android users. It's getting so bad that Microsoft kicked off a marketing campaign for Windows Phone based on user frustration with the Android platform, calling it 'Droidrage.' Problem is,so far Google hasn't seemed to want to tackle these thorny issues.

One thing's for sure ... as the popularity of Android grows, something has to change.


Editorial standards