F-Secure: Android adverts pose security risk
By Stewart Mitchell
Posted on 10 Jan 2012 at 13:44
Android adverts could prove a privacy risk, according to a security company, because of the way the operating system handles permissions granted to advertisers via apps.
Research from F-Secure showed that the way adverts are bundled within applications in Android could leave end users exposed, because there is no way to give an application access to data without granting advertisers the same rights.
"When the user accepts and grants permission for the main app to install, the user is also by extension allowing the ad modules to use those same permissions,” F-Secure said in a blog post. “Sometimes, the permissions are only used by the ad module, not the main application.”
According to the security company, this leaves users in a “grey area” where they can't be sure exactly what information they are allowing an effectively unknown company to access on their handsets.
We had a case where the main app was clean, but the ad module collected confidential user information and sent it out to a remote server
The company used an example showing the permissions tab of an ad-supported app downloaded from the official Android Market, with a very generic description of the permissions:
“Wouldn't it be clearer to the user if the Permissions tab indicated how the permissions were used by both the main app and the ad module?" the company said. "Or better still, there was a separate permissions tab for the ad module?
“This would give the user a clearer idea of what the main app/ad module will do, and they would be in a better position to choose whether they want to proceed with the installation.”
The company cited a recent example of an app found in the Android Market that sniffed and sent phone data to remote servers after being given permission during installation.
“We had a recent case, where the main app was clean, but the ad module was the problem: it collected confidential user information and sent it out to a remote server,” F-Secure said.
“Most advertising services need some info from the phone in order to serve 'targeted' advertisements, but we considered that the module was asking for rather too much info.”
From around the web
Why?
Why should the advert have any permissions at all? It needs to display a quick message or image and launch the browser, if the user clicks on it.
That means, that the advertising module should have permissions to receive data from 1 IP address and permission to start the standard web browser. It should never receive any other permission.
By big_D on 10 Jan 2012 
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
